[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can't DNAT with iptables
Dan Fleischer wrote:
> I've setup a test environment to develop an iptables script. I can do
> SNAT fine ("Last login from ..." tells me that SNAT is working fine),
> but I can't do DNAT (translate external IP 100.1.1.106 to internal IP
> 192.168.1.106, port 22).
[...snip...]
> < set INPUT, OUTPUT, FORWARD policies to DROP >
>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -A INPUT -m state --state INVALID -j DROP
> $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
> $IPTABLES -A FORWARD -m state --state INVALID -j DROP
>
> # Destination NAT
> $IPTABLES -t nat -A PREROUTING -i eth1 -d 100.1.1.106 -p tcp --dport 22
> \
> -j DNAT --to 192.168.1.106:22
If INPUT and FORWARD are both set to default DROP, then they're probably
being dropped at the INPUT table before they even get to the FORWARD
table... Incoming packets are state NEW, which aren't explicitly dealt
with, which implies that they'll go to the default target of the table.
You need to either accept NEW state packets, or add a rule to accept
packets coming in on eth1 destined for 100.1.1.106 with port 22 - both
on the INPUT table and the FORWARD table, I think. I'm not sure about
that, though - does the FORWARD table come before or after the
PREROUTING table? If it's after, you'd need to use different
destination IPs in the FORWARD rule...
Or, pretty much what Steve said. :)
--Danny
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.