On November 4, 2003 12:15 am, MartÃn wrote: > Ok, I think I got it... but does not work. I see the traffic being > redirected, but the conection gets lost, I got this in the snuiffer: > > 02:02:51.640513 192.168.2.1 > 192.168.2.5: icmp: 192.168.2.1 udp port 10000 > unrachable [tos 0x40] > > Any Idea? Ummm what exists between the linux NAT box and the internet itself? Do you have another router in there? what is meant by: ( eth0 192.168.1.10 > adsl ppp0 IP dinamic) Typically adsl direct connected routers to ppp daemons should NOT have an ip on the ethernet interface unless you need to manage the router. However I digress. Can you see the packet (after DNATting) on the way out ppp0? What if any other rules have you in the FORWARD chain. *thunks head on table* You will need to FORWARD the packets through the box as well as DNATting the packets. iptables -I FORWARD -p udp -s 192.168.2.5 -d 200.24.24.200 --dport 10000 -j ACCEPT And again, depeinding on the presence of ESTABLISHED RELATED rules you may need to return them through the FORWARD chain Sometimes assumption of anything will get us in trouble. > > > > > En Tue, 4 Nov 2003 11:20:42 +0800, Edmund Turner <eturner@xxxxxxxxxxxxx> > > escribiÃ: > > Martin, Alistairs explanation and solution is correct. > > In short 192.168.2.5 will only see traffic thru and fro 192.168.2.1 > > @port 10000. Put a packet analyser or a sniffer on 192.168.2.5 to > > confirm. > > In Iptables if you do a prerouting as such : > > > > #This will redirect all packets to 192.168.2.1 dport 10000 to > > 200.24.24.200:10000 > > > > iptables -t nat -I PREROUTING -i eth1 -d 192.168.2.1 -p udp --dport > > > >> 10000 -j DNAT --to 200.45.45.200:10000 > > > > You donât have to worry about the packets coming in back from > > 200.24.24.200. They will be tracked and sent back to 192.168.2.5 as > > source IP of 192.168.2.1. Im not sure which module is responsible for > > this, but I think its done by the ip_conntrack module. Maybe someone can > > enlighten us on this? > > > > > > Regards > > edmund > > > >> -----Original Message----- > > > > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of MartÃn > > Sent: Tuesday, November 04, 2003 10:37 AM > > To: alistair@xxxxxxxxxx > > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: Re: redirection trouble > > > > En Mon, 3 Nov 2003 21:21:09 -0500, Alistair Tonner <Alistair@xxxxxxxxxx> > > > > escribiÃ: > >> On November 3, 2003 08:53 pm, MartÃn wrote: > >>> This is the situation: > >>> > >>> > >>> > >>> Internal LAN machine (192.168.2.5) > >>> > >>> > >>> > >>> (eth1 192.168.2.1) NAT LINUX ( eth0 192.168.1.10 > adsl ppp0 IP > > > > dinamic) > > > >>> Server 200.45.45.200 (service at port 10000) > >>> > >>> > >>> > >>> This is what I intend to do: > >>> For particular reasons, I need that a soft at 192.168.2.5 comunicate > >>> with a > >>> server with a service at port 10000 (UDP), but this canÂt be done > >>> through > >>> normal NAT. So i want to establish a link between both (server and > >>> 192.168.2.5) manually useing the NAT LINUX > >>> So, 192.168.2.5 comunicates to 192.168.2.1 port 10000, the NAT LINUX > >>> redirect this traffic to the server 200.45.45.200 port 10000. The > > > > server > > > >>> will respond to the NAT LINUX who will redirect this traffic to > >>> 192.168.2.5 > >>> (port 10000 also) > >>> I try to do all this in this way: > >>> > >>> > >>> iptables -t nat -I PREROUTING 1 -i eth1 -d 192.168.2.1 -p udp --dport > >>> > >>> 10000 > >>> -j DNAT --to 200.45.45.200 > >>> > >>> iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 10000 -j SNAT -- Alistair Tonner nerdnet.ca Senior Systems Analyst - RSS Any sufficiently advanced technology will have the appearance of magic. Lets get magical!
