iptables...help

iptables...help

Post by Neo Ita » Sun, 24 Nov 2002 02:24:49



i need to redirect a call from the eth0 to an address of the private
Lan, from eth0:1250  to 192.168.25.10:21
i've used the following script, but don't works (i've removed the not
important rows for this problem, just to read more quickly)
Help me pls..........i've to solve this problem absolutely...
Tnx a lot all

iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 1250 -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -o 192.168.25.10 --dport 21  -j
ACCEPT
iptables -A FORWARD -p tcp -i eth0 -o 192.168.25.10 --dport 1250 -j
ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward  

echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding

echo redirecting.............
iptables  -t nat -A PREROUTING -p tcp -i eth0 --dport 1250 -j DNAT
--to 192.168.25.10:21

********************************
Rimuovi NOSPAM per rispondere

Remove NOSPAM to reply

 
 
 

iptables...help

Post by Joerg Morbitze » Sun, 24 Nov 2002 03:59:24



> i need to redirect a call from the eth0 to an address of the private
> Lan, from eth0:1250  to 192.168.25.10:21
> i've used the following script, but don't works (i've removed the not
> important rows for this problem, just to read more quickly)
> Help me pls..........i've to solve this problem absolutely...
> Tnx a lot all

> iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 21 -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 1250 -j ACCEPT

> iptables -A FORWARD -p tcp -i eth0 -o 192.168.25.10 --dport 21     -j
> ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o 192.168.25.10 --dport 1250 -j
> ACCEPT

-o 192.168.25.10   ??? The man page of iptables says:

    -o, --out-interface [!] name
           Name of an interface via which a packet is going to be sent (for
           packets entering the FORWARD, OUTPUT  and  POSTROUTING  chains).

So not an ip address is requested but a device.

Perhaps this is your problem already.

Kind regards, Joerg.

 
 
 

iptables...help

Post by scot » Sun, 24 Nov 2002 04:04:50



> i need to redirect a call from the eth0 to an address of the private
> Lan, from eth0:1250  to 192.168.25.10:21
> i've used the following script, but don't works (i've removed the not
> important rows for this problem, just to read more quickly)
> Help me pls..........i've to solve this problem absolutely...
> Tnx a lot all
> iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 21 -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 1250 -j ACCEPT

Remove the above iptables lines... The first line opens up port 21 to your
machine which you don't want.

Quote:> iptables -A FORWARD -p tcp -i eth0 -o 192.168.25.10 --dport 21     -j
> ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o 192.168.25.10 --dport 1250 -j
> ACCEPT

OK...I think you are misunderstanding the concept of forwarding
here... Packets come from both directions, not just eth0. The response
packets will come from a different interface (lets say eth1 for this
case).

First a packet comes in to eth0 and gets forwarded to 192.168.25.10 on
eth1, then a response comes from 192.168.25.10 and needs to go out eth0
back to the client... So try these rules instead

iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -d 192.168.25.10 -p tcp --dport 1250 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.25.10 -p tcp --sport 21 --j ACCEPT

You may want to change them around a bit...

Quote:> echo 1 > /proc/sys/net/ipv4/ip_forward  
> echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding

This line not needed.

Quote:> echo redirecting.............
> iptables  -t nat -A PREROUTING -p tcp -i eth0 --dport 1250 -j DNAT
> --to 192.168.25.10:21

This line looks good.

Scott

 
 
 

iptables...help

Post by Mark Tranchan » Tue, 26 Nov 2002 17:13:13


(question about "linking" port 21 on one interface to port 1250 on another)

Quote:> First a packet comes in to eth0 and gets forwarded to 192.168.25.10 on
> eth1, then a response comes from 192.168.25.10 and needs to go out eth0
> back to the client... So try these rules instead

> iptables -P FORWARD DROP
> iptables -A FORWARD -i eth0 -d 192.168.25.10 -p tcp --dport 1250 -j ACCEPT
> iptables -A FORWARD -i eth1 -s 192.168.25.10 -p tcp --sport 21 --j ACCEPT

I'm confused. How do the last two lines know that they are "connected"? If I
also wanted to "convert" port 80 on one interface to port 8080 on the other,
how does iptables understand the two different "conversions"? That is, how
does it know not to pass port 80 requests to port 1250?

--
Mark.

 
 
 

iptables...help

Post by bens » Tue, 26 Nov 2002 20:40:14


[Mon, 25 Nov 2002 08:13:13 +0000] quoth Mark Tranchant:

Quote:>> iptables -P FORWARD DROP
>> iptables -A FORWARD -i eth0 -d 192.168.25.10 -p tcp --dport 1250 -j ACCEPT
>> iptables -A FORWARD -i eth1 -s 192.168.25.10 -p tcp --sport 21 --j ACCEPT

> I'm confused. How do the last two lines know that they are "connected"? If I
> also wanted to "convert" port 80 on one interface to port 8080 on the other,
> how does iptables understand the two different "conversions"? That is, how
> does it know not to pass port 80 requests to port 1250?

  These two iptables rules do not do any 'converting'. They simply allow
  packets to pass. We are interested in receiving packets destined for
  port 21 on eth0 of one machine, and redirect these packets to a another
  port on a different host.

  To achieve this, we need iptables to rewrite the destination IP and
  destination port in packet header (using DNAT in the PREROUTING chain),
  and then use route this packet to its new destination host.

  The two lines above simply ensure that these packets are not dropped
  during this procedure. The real work is done by the PREROUTING/DNAT
  line.

  Has that helped any?
  Ben

 
 
 

iptables...help

Post by Mark Tranchan » Tue, 26 Nov 2002 21:20:43



Quote:> [Mon, 25 Nov 2002 08:13:13 +0000] quoth Mark Tranchant:

> >> iptables -P FORWARD DROP
> >> iptables -A FORWARD -i eth0 -d 192.168.25.10 -p tcp --dport 1250 -j
ACCEPT
> >> iptables -A FORWARD -i eth1 -s 192.168.25.10 -p tcp --sport 21 --j
ACCEPT

> > I'm confused. How do the last two lines know that they are "connected"?
If I
> > also wanted to "convert" port 80 on one interface to port 8080 on the
other,
> > how does iptables understand the two different "conversions"? That is,
how
> > does it know not to pass port 80 requests to port 1250?

>   These two iptables rules do not do any 'converting'. They simply allow
>   packets to pass. We are interested in receiving packets destined for
>   port 21 on eth0 of one machine, and redirect these packets to a another
>   port on a different host.

>   To achieve this, we need iptables to rewrite the destination IP and
>   destination port in packet header (using DNAT in the PREROUTING chain),
>   and then use route this packet to its new destination host.

>   The two lines above simply ensure that these packets are not dropped
>   during this procedure. The real work is done by the PREROUTING/DNAT
>   line.

>   Has that helped any?

Yes. Thank you - I thought the lines were doing more than they actually are.

--
Mark.