Hello all, thx already for the hints, but I am still in a strugle. I changed my destination ip to 207, because 220 could cause problems. Forgive me that I don't understand why. Anyway, these rules give even a more confusing result. I am still not able to access my 11.0.0.16 box through the 172.25.239.207 DNAT'ed alias. (not pingable, not nothing) I also can not connect anymore to my netfilter box anymore after executing this script, BUT my active ssh connection stays open ! ? I am still on my machine remotly, but I can not ping it anymore ?? :( Any more ideas ? ------------------------------------------------------------ echo "Activating firewall script generated Thu Jun 10 15:03:22 2004 CEST by root" $IPTABLES -t nat -A PREROUTING -d 172.25.239.207/27 -j DNAT --to-destination 11.0.0.16 $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -d 11.0.0.16 -m state --state NEW -j RULE_0 $IPTABLES -A FORWARD -d 11.0.0.16 -m state --state NEW -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT " $IPTABLES -A RULE_0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward execution of this script gives me this : (why is there 192 ? in stead of 207 ?) [root@linuxrouter root]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- anywhere 172.25.239.192/27 to:11.0.0.16 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@linuxrouter root]# -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone Sent: Friday, June 18, 2004 6:15 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: DNAT problem / question On Friday 18 June 2004 5:06 pm, Patrick Leslie Polzer wrote: > On Fri, 18 Jun 2004 17:45:20 +0200 > > "Arnauts, Bert" <Bert.Arnauts@xxxxxxxxxxxxxxxxxxx> wrote: > > Could you please check my config, if I execute this I can not ping > > my internal lan ip of this host 172.25.239.208 any more. I think > > this is really wierd. > > Why? These lines: > > $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27 -j DNAT > > --to-destination 11.0.0.16 $IPTABLES -t nat -A OUTPUT -d > > 172.25.239.220/27 -j DNAT --to-destination 11.0.0.16 > > are doing everything to keep ALL packets away from you ;) All outgoing > packets (statement 2) are redirected to 11.0.0.16 and all incoming are > as well (statement 1)! > How do you expect ping to work with that? :-O Good point, but surely a ping packet sent to 172.25.239.220 (let's overlook the netmask for the time being...) would get redirected to 11.0.0.16, and provided that machine responds to the ping (and the reply goes back through netfilter's NAT table) the origianting client might see the reply? However, I am certainly highly confused by what Bert is trying achieve here - perhaps the answers to a few questions would help: 1. How many interfaces does the netfilter machine have? What are their IP addresses? 2. Where is machine 11.0.0.16? How are packets routed to that frm the netfiler machine? 3. What address are you sending the ping packets from (and to)? How is that client routed to the netfilter box? 4. What, in simple terms, are you trying to achieve with the two rules which Patrick has queried above? Regards, Antony. -- "It would appear we have reached the limits of what it is possible to achieve with computer technology, although one should be careful with such statements; they tend to sound pretty silly in five years." - John von Neumann (1949) Please reply to the list; please don't CC me.
