Port Forwarding / SNAT

Port Forwarding / SNAT

Post by Steve » Wed, 16 Apr 2003 22:32:45



Hello,

I have got a linux machine connected to 2 adsl routers and our LAN.
Each router has a web front end but not telnet system to configure. I
would like to be able to use port forwarding to connect to
10.1.1.2:8080 to get to one router and similarly with the 2nd.

 iptables -t nat -A PREROUTING -d 10.1.1.2 -p tcp --dport 8080 -j DNAT
--to 192.168.1.1:80

Works a treat, I can see the packets getting sent out over the right
interface, however I think the router is sending the packets directly
to the client workstation behind the 10.1.1.2 box which is running
NAT.

So I think I need to run SNAT to fool the router to send the packets
back via the 10.1.1.2 box.

Please could someone help, I know the syntax is something along the
lines of

# iptables -t nat -A POSTROUTING -d xxx.xxx.xxx.xxx -s
xxx.xxx.xxx.xxx\
        -p tcp --dport 80 -j SNAT --to 10.1.1.2

but not to sure whar to put in the -d -s and --dport options.

Any suggestions ?

 
 
 

1. iptables, SNAT/DNAT, port forwarding problems.

I'm having big problems getting port forwarding to work with my 2.4.0/iptables setup. I have outbound (SNAT) masquerading working just fine:

EXTERNAL_IP=xxx.xxx.xxx.xxx  # external ip
LOCAL_NET=192.168.2.0/24     # internal ip
EXTERNAL_IF=eth1
LOCAL_IF=eth0

iptables -t nat -F
iptables -t nat -A POSTROUTING -o ${EXTERNAL_IF} -s ${LOCAL_NET} -j SNAT --to ${EXTERNAL_IP}

I have the following lines to log and forward all www traffic to my internal web server on 192.168.2.1:

iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j LOG --log-prefix 'www-fwd:'
iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j DNAT --to 192.168.2.1:80
iptables -A FORWARD -i ${EXTERNAL_IF} -p tcp --dport 80 -d 192.168.2.1 -o ${INTERNAL_IF} -j LOG --log-prefix 'forwarding:'

When I try to access the web server (at $EXTERNAL_IF) from the internet, I get the following four (sanitized) log entries:

Mar 18 18:07:50 <xxx> kernel: www-fwd:IN=eth1 OUT= MAC=<xxx> SRC=<xxx> DST=<${EXTERNAL_IF}> LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:50 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:53 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=730 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:59 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=731 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

Clearly, the first entry is the DNAT rule firing, and the other three seem to be failed attempts to send the packet on to my web server. My web server logs no page requests, and I've even tried a rule in the web server's INPUT chain to log all www traffic:

iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix 'www:'

Nothing gets logged on the web server. It seems that packets are correctly leaving the firewall, but not arriving at the web server. But short of getting a line analyzer on wire, I can't prove this.

Just to prove to myself that iptables on my web server wasn't somehow dropping the forwarded packets without telling me, I set up Apache on a Win2000 machine I have on my local net, and tried forwarding port 80 to that machine, and I still got not no responses.

Does anyone have any idea what's going on here? What am I missing?

(iptables 1.1.1-2 on both the firewall and the web server).

Thanks and regards,
WMB

2. LILO hangs after adding a HD

3. 'snat' snats everything! (almost)

4. Linux on IBM RS 6000 J30 ?

5. Forwarding UDP Packets using SNAT

6. questions on lp.c device driver

7. port forward port 80 to port 8080

8. File protection against deletion

9. HELP Port Forwarding on Linux: Dest Port Known, Source Port High (1024-65535)

10. IP forwarding is only good for port forwarding of only one IP ?

11. IPTABLES - SNAT / blocking ports

12. netfilter can we snat port numbers like ip address

13. Port forwarding Web port (80)