-----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone Sent: Monday, June 14, 2004 4:51 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: DNAT question On Monday 14 June 2004 3:35 pm, Arnauts, Bert wrote: > Hello all, > > I want to DNAT some machines in another subnet. > The target machines have ip's like 11.0.0.x/24 > > My available lan ip's are 172.239.239.x/27 (255.255.255.224) > > These are my rules. Wich are apparently not working. How are you trying to test the rules? What tells you they're not working? Where are you testing from? I am testing from a machine that can ping the nat box'es IP and I can access all sorts of other systems services on that subnet. (my nat box : 172.25.239.208) > I created virtual interfaces on eth1, one for each DNAT'ed ip. Can you ping one of those addresses fom a machine directly connected to eth1, qand then check the arp cache (arp -an under Linux) to be sure that the IP / MAC address link is working correctly? Yes I can ping these addresses. (without my iptables) With my rules it doesn't work anymore. > What am I missing ? Forget about normal tables stuff, I only want this > machine to do DNAT. What does "iptables -L -t nat -nvx" show you for the packet / byte counters? see below Does it look like netfilter thinks it's doing any NAT? yes ... I guess. see below I also ripped something frowm fwbuilder, adepted it a little bit .. this is my new script. #!/bin/bash LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" LOGGER="/usr/bin/logger" echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//; s/\.ko$//')` for module in $(echo $MODULES); do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done echo "Activating firewall script generated Thu Jun 10 15:03:22 2004 CEST by root" $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27 -j DNAT --to-destination 11.0.0.16 $IPTABLES -t nat -A OUTPUT -d 172.25.239.220/27 -j DNAT --to-destination 11.0.0.16 $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -d 11.0.0.16 -m state --state NEW -j RULE_0 $IPTABLES -A FORWARD -d 11.0.0.16 -m state --state NEW -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT " $IPTABLES -A RULE_0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward thx Antony ! (nice quote) -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. Please reply to the list; please don't CC me. ------------------------------------------------------------------------ --------------------------------------------- [root@linuxrouter root]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:E0:18:02:7E:9B inet addr:11.0.0.3 Bcast:11.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4822 errors:0 dropped:0 overruns:0 frame:0 TX packets:23 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:286513 (279.7 Kb) TX bytes:6516 (6.3 Kb) Interrupt:5 Base address:0xd800 Memory:fb000000-fb000038 eth1 Link encap:Ethernet HWaddr 00:D0:B7:E0:1F:2C inet addr:172.25.239.208 Bcast:172.25.239.223 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7342 errors:0 dropped:0 overruns:0 frame:0 TX packets:2091 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:629297 (614.5 Kb) TX bytes:342349 (334.3 Kb) Interrupt:11 Base address:0xd400 Memory:fa000000-fa000038 eth1:1 Link encap:Ethernet HWaddr 00:D0:B7:E0:1F:2C inet addr:172.25.239.220 Bcast:172.25.255.255 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:11 Base address:0xd400 Memory:fa000000-fa000038 [root@linuxrouter root]# ping 11.0.0.16 PING 11.0.0.16 (11.0.0.16) 56(84) bytes of data. 64 bytes from 11.0.0.16: icmp_seq=1 ttl=128 time=0.261 ms [root@linuxrouter root]# ping 172.25.239.220 PING 172.25.239.220 (172.25.239.220) 56(84) bytes of data. 64 bytes from 172.25.239.220: icmp_seq=1 ttl=128 time=0.264 ms [root@linuxrouter root]# iptables -L -t nat -nvx Chain PREROUTING (policy ACCEPT 16 packets, 3256 bytes) pkts bytes target prot opt in out source destination 70 11224 DNAT all -- * * 0.0.0.0/0 172.25.239.192/27 to:11.0.0.16 Chain POSTROUTING (policy ACCEPT 19 packets, 6614 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 420 bytes) pkts bytes target prot opt in out source destination 5 404 DNAT all -- * * 0.0.0.0/0 172.25.239.192/27 to:11.0.0.16 [root@linuxrouter root]# arp -an ? (172.25.239.201) at 00:30:05:11:F9:EA [ether] on eth1 ? (172.25.239.193) at 00:60:47:40:F7:A5 [ether] on eth1 ? (11.0.0.16) at 00:E0:18:02:38:60 [ether] on eth0 [BRUBARNA7M] D:\some_crapy\windows_box>ping 172.25.239.220 Pinging 172.25.239.220 with 32 bytes of data: Request timed out. Ping statistics for 172.25.239.220: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss), Control-C ^C also ... even a ping to my normal host is not working anymore. (wich was working without the tables) [BRUBARNA7M] D:\some_crapy\windows_box>ping 172.25.239.208 Pinging 172.25.239.208 with 32 bytes of data: Request timed out. Ping statistics for 172.25.239.208: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss), you should think it is my firewall ... but I accept everything ... :( [root@linuxrouter root]# iptables -L -nvx Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 557 72706 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 147 13879 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 RULE_0 all -- * * 0.0.0.0/0 11.0.0.16 state NEW Chain OUTPUT (policy ACCEPT 1 packets, 152 bytes) pkts bytes target prot opt in out source destination 269 31752 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 RULE_0 all -- * * 0.0.0.0/0 11.0.0.16 state NEW Chain RULE_0 (2 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `RULE 0 -- ACCEPT ' 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0