saikit
asked on
iptables port forward
I want to forward all port 80 to a internal server, but can't make it work. My config are as follows:
The iptables server:
eth0 : 2xx.xxx.xxx.37
eth0 : 2xx.xxx.xxx.38 (alias)
eth1 : 192.168.0.1
iptables commands that I had run:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
The internal server:
eth0: 192.168.0.2
eth0: 2xx.xxx.xxx.38 (alias)
gateway: 192.168.0.1
Ping from outside (my home) to 2xx.xxx.xxx.37 or 2xx.xxx.xxx.38 (Office) are okay.
What's missing/wrong? Please advise. Thanks. :)
The iptables server:
eth0 : 2xx.xxx.xxx.37
eth0 : 2xx.xxx.xxx.38 (alias)
eth1 : 192.168.0.1
iptables commands that I had run:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
The internal server:
eth0: 192.168.0.2
eth0: 2xx.xxx.xxx.38 (alias)
gateway: 192.168.0.1
Ping from outside (my home) to 2xx.xxx.xxx.37 or 2xx.xxx.xxx.38 (Office) are okay.
What's missing/wrong? Please advise. Thanks. :)
You don't _want_ to have the 2.xx.xxx.xxx.38 alias on the internal server!
(Read "don't _want_" as "must not"!)
I'd do
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 2.xx.xxx.xxx.37
(SNAT is preferred to MASQUERADE when using static IPs as it is faster)
HTH,
-XoF-
(Read "don't _want_" as "must not"!)
I'd do
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 2.xx.xxx.xxx.37
(SNAT is preferred to MASQUERADE when using static IPs as it is faster)
HTH,
-XoF-
Don't know, but happend to me once; forgot to add a rule like
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
ever tried this setup?
and this MUST work ;)
The iptables server:
eth0 : 2xx.xxx.xxx.37
eth0 : 2xx.xxx.xxx.38 (alias)
eth1 : 192.168.0.1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 2xx.xxx.xxx.38
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
The internal server:
eth0: 192.168.0.2
gateway: 192.168.0.1
i bet this works ;)
have phun
and this MUST work ;)
The iptables server:
eth0 : 2xx.xxx.xxx.37
eth0 : 2xx.xxx.xxx.38 (alias)
eth1 : 192.168.0.1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 2xx.xxx.xxx.38
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
The internal server:
eth0: 192.168.0.2
gateway: 192.168.0.1
i bet this works ;)
have phun
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@XoF:
hmm i think your example would never work...
your example above:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
- this line means every (!!) packet that comes on eth0 and is addressed to port 80 gets redirected to 192.168.0.2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 2.xx.xxx.xxx.37
- and this line just forwards the packets of the internal net 192.168. into the inet, just with changed source ip address...
- every answer that comes back is by remote addressed to 2xx.xxx.xxx.37 which doesnt know about any connection it has tried to do...
- these packets are not even redirected to another host, so it will be surely discarded
- therefore you need MASQUERADE... NAT for all the pc's behind will only work with MORE ip adresses
so if a computer behind the firewall tries to set up a connection, the packet arrives the remote host..
the remote host sends back this packet.. that packet is discarded at the firewall
why did u remove the masquerading line?
SNAT is not masquerading, but masquerading is special SNAT ;)
of course i swapped the first two lines, sorry - i'm used to do a '-I' insted of '-A' so i messed it up
this is correct:
iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 2xx.xxx.xxx.38
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
hmm i think your example would never work...
your example above:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
- this line means every (!!) packet that comes on eth0 and is addressed to port 80 gets redirected to 192.168.0.2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 2.xx.xxx.xxx.37
- and this line just forwards the packets of the internal net 192.168. into the inet, just with changed source ip address...
- every answer that comes back is by remote addressed to 2xx.xxx.xxx.37 which doesnt know about any connection it has tried to do...
- these packets are not even redirected to another host, so it will be surely discarded
- therefore you need MASQUERADE... NAT for all the pc's behind will only work with MORE ip adresses
so if a computer behind the firewall tries to set up a connection, the packet arrives the remote host..
the remote host sends back this packet.. that packet is discarded at the firewall
why did u remove the masquerading line?
SNAT is not masquerading, but masquerading is special SNAT ;)
of course i swapped the first two lines, sorry - i'm used to do a '-I' insted of '-A' so i messed it up
this is correct:
iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 2xx.xxx.xxx.38
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
g3gg0:
What does then your rule do, except redirecting every packet regardless of interface (which is the same)??
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
As for 2.4.20 kernel SNAT keeps track of packets (AFAIK they don't intend to change that), so it's almost the same as MASQUERADE, though SNAT is preferred (at least by iptables documentation) when static ips are used. That's because MASQUERADE drops all tracking info when ips are changed, but SNAT doesn't, ehich means if your link goes down and the comes up there is (theoretical) possibility that some connections can be continued.
What does then your rule do, except redirecting every packet regardless of interface (which is the same)??
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
As for 2.4.20 kernel SNAT keeps track of packets (AFAIK they don't intend to change that), so it's almost the same as MASQUERADE, though SNAT is preferred (at least by iptables documentation) when static ips are used. That's because MASQUERADE drops all tracking info when ips are changed, but SNAT doesn't, ehich means if your link goes down and the comes up there is (theoretical) possibility that some connections can be continued.
saikit:
- are you still out there?
- the problem with your rules is the following:
a client sends a request to .38 which will be forwarded to 192.168.0.2. that server sends a response which has - due to the masquerading - a source address of .37 at the client side. So you won't establish any connections.....
that's why you need the seperate SNAT rule......
g3gg0:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
> - this line means every (!!) packet that comes on eth0 and is addressed to port 80 gets redirected to 192.168.0.2
Hmm, didn't you actually propose the same rule for DNAT?
IMHO this rule is absolutely correct!
According to the SNAT/MASQUERADE question:
As already mentioned by problems_maker, netfilter is _stateful_ and so keeps track of existing connections.
As read in "man iptables":
MASQUERADE
This target is only valid in the nat table, in the
POSTROUTING chain. It should only be used with dynami-
cally assigned IP (dialup) connections: if you have a
static IP address, you should use the SNAT target. Mas-
querading is equivalent to specifying a mapping to the IP
address of the interface the packet is going out, but also
has the effect that connections are forgotten when the
interface goes down. This is the correct behavior when
the next dialup is unlikely to have the same interface
address (and hence any established connections are lost
anyway). It takes one option:
HAND,
-XoF-
- are you still out there?
- the problem with your rules is the following:
a client sends a request to .38 which will be forwarded to 192.168.0.2. that server sends a response which has - due to the masquerading - a source address of .37 at the client side. So you won't establish any connections.....
that's why you need the seperate SNAT rule......
g3gg0:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
> - this line means every (!!) packet that comes on eth0 and is addressed to port 80 gets redirected to 192.168.0.2
Hmm, didn't you actually propose the same rule for DNAT?
IMHO this rule is absolutely correct!
According to the SNAT/MASQUERADE question:
As already mentioned by problems_maker, netfilter is _stateful_ and so keeps track of existing connections.
As read in "man iptables":
MASQUERADE
This target is only valid in the nat table, in the
POSTROUTING chain. It should only be used with dynami-
cally assigned IP (dialup) connections: if you have a
static IP address, you should use the SNAT target. Mas-
querading is equivalent to specifying a mapping to the IP
address of the interface the packet is going out, but also
has the effect that connections are forgotten when the
interface goes down. This is the correct behavior when
the next dialup is unlikely to have the same interface
address (and hence any established connections are lost
anyway). It takes one option:
HAND,
-XoF-
ASKER
XoF, I followed and successed!!
Many thanks!
Many thanks!
go to this site
www.linuxjalali.com
make forum registration. here admin reply you directly in minuts.
www.linuxjalali.com/forum
The great Linux Related Tools Are Also In This Website free downloads.
www.linuxjalali.com
make forum registration. here admin reply you directly in minuts.
www.linuxjalali.com/forum
The great Linux Related Tools Are Also In This Website free downloads.
then make your rules:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0:0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2
otherwise only the DNS (or /etc/hosts) knows where to direct traffic bound for 2xx.xxx.xxx.38
use ifconfig to make a virtual interface, like so...
ifconfig eth0:0 2xx.xxx.xxx.38 netmask 255.255.255.0
5733133