>> Ok. I'm getting there... I'm drawing on a piece of paper and combinging >> your emails onto it.. but it still seems you have a SNAT problem.. >> >> 204.181.247.x/24 ----> 172.16.0.18:8001 ---> DNAT to 204.181.247.34:80 >> >> When you DNAT the above, the source still says 203.181.247.x/24 on it so >> the DNAT machine which is 204.181.247.34:80 responds directly back to >> the >> source and bypasses the NAT server which then the client (source) is >> waiting on 172.16.0.18:8001 to respond but only gets a packets from >> 204.181.247.34:80 so it drops it.. >> >> Also, if you can use it.. try using the NETMAP patch.. it'll say you a >> hell of alot of rules ;) >> >> *looks at original email rule list* >> >> Looks like you have a split DMZ zone, some ports/ips go into 1 network, >> some others go to the other network.. he he man this is confusing . ha >> ha >> >> I think you really need a SNAT rule like this.. >> >> iptables -A POSTROUTING -t nat -s 203.181.247.0/24 -d 172.16.0.18:8001 >> -j >> SNAT --to <NATSERVERIP> iptables -t nat -A POSTROUTING -s 204.181.247.0/24 -p tcp --dport 8001 -d 172.16.0.18 -j SNAT --to-source AND iptables -t nat -A POSTROUTING -s 204.181.247.0/24:8001 -p tcp --dport -d 172.16.0.18 -j SNAT --to-source AND iptables -t nat -A POSTROUTING -s 204.181.247.0/24 -d 172.16.0.18:8001 -j SNAT --to-source returns.... iptables-restore v1.2.5: Unknown arg `--dport' Try `iptables-restore -h' or 'iptables-restore --help' for more information. are you sure that you can specify destination and source ports on the SNAT? Thanks > > so essentially i'd be sending the packet back out to the internet? > there's no way to just keep it on the lan and in the forward chain? > > that's a real drag. > I'm running RH 2.1 ES and i have downloaded their kernel source, did a > make menuconfig (without changing one single thing) i exit out..save the > new image. make dep works...but make modules ALWAYS bombs... so until i > can get some time..of which i have none becuause of this, i doubt i can > get that patch to work. > > Thanks again, > > Aaron > > P.S. if i misinterpreted your comments on the SNAT, please let me know. >> >> this way the 204.181.247.34:80 server will respons back via >> <NATSERVERIP> >> which eventually renats to 203.181.247.x/24 >> >> Thanks, >> ____________________________________________ >> George Vieira >> Systems Manager >> georgev@xxxxxxxxxxxxxxxxxxxxxx >> >> Citadel Computer Systems Pty Ltd >> http://www.citadelcomputer.com.au >> >> Phone : +61 2 9955 2644 >> HelpDesk: +61 2 9955 2698 >> >> >>> -----Original Message----- >>> From: ml@xxxxxxxxxxxxxx [mailto:ml@xxxxxxxxxxxxxx] >>> Sent: Friday, 31 October 2003 3:28 PM >>> To: George Vieira >>> Cc: ml@xxxxxxxxxxxxxx >>> Subject: RE: PLEASE HELP with DNAT problem >>> >>> >>> >>> > AARGH!! ASCI ART.. ;P he he... I have 15 networks in my >>> head and I need a >>> > 1GB memory upgrade in my brain to fit more.. just 1 GB will do ;P >>> > >>> > I don't understand this part : >>> >>> I tried the ascii art, i really did..but UGHHHH.. >>> >>> let me try to explain it more clearly, and also, the "it hits another >>> one" was just my interpretation...it surely could be wrong. >>> >>> as i say the traffic from the internet is getting DNATed perfectly, so >>> i'll concentrate on what's NOT working. >>> >>> my "protected" lan has the 204.181.247.0/24 addresses this is >>> eth1...my >>> DMZ has (actual) 10.1.1.16/28 addresses and that is on >>> eth0.....now__since >>> i have 16 public addresses from my ISP, the 172.16.0.16/28 >>> addresses from >>> the original post...I have to get the traffic from the >>> internet there and >>> also the traffic from my lan there for servers. >>> >>> I have rules DNATing one to one the 172.16.0.16/28 address to the >>> 10.1.1.16/28 addresses for incoming connections from serial0 and eth1. >>> i.e. >>> >>> iptables -t nat -A PREROUTING -i serial0 -d 172.16.0.17 -j DNAT >>> --to-destination 10.1.1.17 >>> and >>> iptables -t nat -A PREROUTING -i eth1 -d 172.16.0.17 -j DNAT >>> --to-destination 10.1.1.17 >>> >>> both of which seems to work just fine. >>> >>> now....before i put these rules however, i put more >>> "specific" rules with >>> port assignments. >>> >>> i.e. >>> iptables -t nat -A PREROUTING -i serial0 -d 172.16.0.17 -p tcp --dport >>> 8021 -j DNAT --to-destination 204.181.247.80:80 >>> and >>> iptables -t nat -A PREROUTING -i eth1 -d 172.16.0.17 -p tcp >>> --dport 8021 >>> -j DNAT --to-destination 204.181.247.80:80 >>> >>> The first one works fine, but the second one which should >>> essentially tell >>> the backet to just go right back onto it's local network to find the >>> destination, actually ends up connecting to the 172.16.0.17 >>> address...which then the routing is messesd up and i never >>> see it again. >>> >>> i try this: >>> telnet 172.16.0.18:8001 >>> >>> here is a tcpdump >>> tcpdump -n -i any host 204.181.247.21 and port 8001 -v -w telnet-in >>> tcpdump -r telnet-in >>> >>> 22:10:22.073457 204.181.247.21.1602 > 204.181.247.80.http: S >>> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4064028 >>> 0,nop,wscale 0> (DF) [tos >>> 0x10] >>> 22:10:25.069786 204.181.247.21.1602 > 204.181.247.80.http: S >>> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4064328 >>> 0,nop,wscale 0> (DF) [tos >>> 0x10] >>> 22:10:31.069457 204.181.247.21.1602 > 204.181.247.80.http: S >>> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4064928 >>> 0,nop,wscale 0> (DF) [tos >>> 0x10] >>> 22:10:43.068733 204.181.247.21.1602 > 204.181.247.80.http: S >>> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4066128 >>> 0,nop,wscale 0> (DF) [tos >>> 0x10] >>> >>> >>> Thanks, >>> >>> Aaron >>> >>> > >>> >> after the first DNAT >>> >> rule that DNATS it back to the lan, it hits "another one" one >>> >> that the DNATs it to the DMZ, >>> > >>> > Once you DNAT, it won't pass any more DNAT rules and exits >>> the chain?? Or >>> > did I misunderstood it AGAIN.. *reads original mail again* ;) >>> > >>> > Thanks, >>> > ____________________________________________ >>> > George Vieira >>> > >>> > >>> >> -----Original Message----- >>> >> From: ml@xxxxxxxxxxxxxx [mailto:ml@xxxxxxxxxxxxxx] >>> >> Sent: Friday, 31 October 2003 2:03 PM >>> >> To: George Vieira >>> >> Cc: ml@xxxxxxxxxxxxxx; netfilter@xxxxxxxxxxxxxxxxxxx >>> >> Subject: RE: PLEASE HELP with DNAT problem >>> >> >>> >> >>> >> >> I tried to DNAT the lan back >>> >> >> to itself and >>> >> >> it just isn't working.. >>> >> > >>> >> > If I think I know what your trying to do, you are doing >>> a LAN to LAN >>> >> > connection right? >>> >> > >>> >> > Don't forget that a LAN to LAN DNAT also must have a >>> >> POSTROUTING SNAT rule >>> >> > so the destination server replies back via the >>> firewall/NAT server. >>> >> > otherwise it'll reply directly to the client and the client >>> >> will drop the >>> >> > packet immediately. >>> >> Ok..i guess this is what i'm missing. I'm not sure where >>> i should be >>> >> source natting to however. >>> >> >>> >> the packet starts at lan....destined for >>> internet...now..it supposedly >>> >> should get DNATED back to lan..... now like i say..after the >>> >> first DNAT >>> >> rule that DNATS it back to the lan, it hits another one one >>> >> that the DNATs >>> >> it to the DMZ, but this one doesn't have the port specific >>> >> information, as >>> >> normally i'd want it ending up in the DMZ. >>> >> >>> >> i just don't see how a SNAT fits in here. but then that's >>> >> why i'm asking >>> >> fr help. >>> >> >>> >> Thanks agagin >>> >> Aaron P. Martinez >>> >> > >>> >> > Have you done any tcpdumping or -j LOGing?? >>> >> > >>> >> > Thanks, >>> >> > ____________________________________________ >>> >> > George Vieira >>> >> > Systems Manager >>> >> > georgev@xxxxxxxxxxxxxxxxxxxxxx >>> >> > >>> >> > Citadel Computer Systems Pty Ltd >>> >> > http://www.citadelcomputer.com.au >>> >> > >>> >> > Phone : +61 2 9955 2644 >>> >> > HelpDesk: +61 2 9955 2698 >>> >> > >>> >> > >>> >> >> -----Original Message----- >>> >> >> From: ml@xxxxxxxxxxxxxx [mailto:ml@xxxxxxxxxxxxxx] >>> >> >> Sent: Friday, 31 October 2003 1:18 PM >>> >> >> To: netfilter@xxxxxxxxxxxxxxxxxxx >>> >> >> Subject: PLEASE HELP with DNAT problem >>> >> > >>> >> >>> >> >>> > >>> >>> >> > > >
