[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Can't DNAT with iptables

To: luci-discuss@luci.org, silug-discuss@silug.org
Subject: Can't DNAT with iptables
From: Dan Fleischer <dan.fleischer@bank-and-trust.com>
Date: 03 Mar 2003 16:04:40 -0600
Organization: Linux Users of Central Illinois
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

I've setup a test environment to develop an iptables script.  I can do
SNAT fine ("Last login from ..." tells me that SNAT is working fine),
but I can't do DNAT (translate external IP 100.1.1.106 to internal IP
192.168.1.106, port 22).  I have a router and a firewall on each side,
all with RH7.3, and can successfully ssh into each firewall from a
client machine behind the firewall on the other side of the router, so I
know my routing is working.  When I try to ssh into 100.1.1.106 from the
client behind the 100.2.2.2 firewall I get a 'no route to host'
message.  

Here are some pertinent lines, in order, from my script:
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat

IPTABLES=/sbin/iptables
$IPTABLES --flush
$IPTABLES --flush -t nat
$IPTABLES --delete-chain
$IPTABLES --delete-chain -t nat

< set INPUT, OUTPUT, FORWARD policies to DROP >

$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT   -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT  -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Destination NAT
$IPTABLES -t nat -A PREROUTING -i eth1 -d 100.1.1.106 -p tcp --dport 22
\
                 -j DNAT --to 192.168.1.106:22

-> Here's a listing of the nat rules when this rule is in place:

# /sbin/iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             100.1.1.106        tcp dpt:ssh
to:192.168.1.106:22

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.1.0/24       anywhere           to:100.1.1.2

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Any ideas?
-- 
Dan Fleischer
Systems Administrator
Bank & Trust Co.
401 N. Madison St.
Litchfield, IL 62056

Ph. 217-324-3935
http://www.bank-and-trust.com


-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

Follow-Ups:
- Re: Can't DNAT with iptables
  - From: Danny Sauer <cloudmaster@cloudmaster.com>
- Re: Can't DNAT with iptables
  - From: Steven Pritchard <steve@silug.org>

Prev by Date: URGENT: sendmail update
Next by Date: Re: Can't DNAT with iptables
Prev by thread: Cyrix processors for sale?
Next by thread: Re: Can't DNAT with iptables
Index(es):
- Date
- Thread