DNAT Not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all !

I a have a fw box running RH 7.3.

Here's part of my nat table :

-A PREROUTING  -p tcp -m tcp -s 172.16.190.0/255.255.255.0 --dport 80 -j
REDIRECT --to-ports 8080
-A POSTROUTING -p tcp -m tcp -s 172.16.190.0/255.255.255.0 ! --dport 80 -o
eth0 -j SNAT --to-source 1.1.1.1
-A POSTROUTING -p udp -m udp -s 172.16.190.0/255.255.255.0 -o eth0 -j
SNAT --to-source 1.1.1.1
-A POSTROUTING -p icmp -m icmp -s 172.16.190.0/255.255.255.0 -o eth0 -j
SNAT --to-source 1.1.1.1

-A PREROUTING -p tcp -m tcp -i eth0 -d 1.1.2.1 --dport 80 -j
DNAT --to-destination 172.16.190.5
-A PREROUTING -p tcp -m tcp -i eth0 -d 1.1.2.1 --dport 9287 -j
DNAT --to-destination 172.16.190.5
-A PREROUTING -i eth0 -d 1.1.2.2 -j DNAT --to-destination 172.16.190.7
-A PREROUTING -p tcp -m tcp -i eth0 -d 1.1.2.3 --dport 5003 -j
DNAT --to-destination 172.16.190.143


Part of my filer table :

-A FORWARD -i eth0 -o eth2 -p tcp -m tcp -d 172.16.190.5 --dport 80 -j
ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp -d 172.16.190.5 --dport 9287 -j
ACCEPT
-A FORWARD -i eth0 -o eth2 -d 172.16.190.7 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp -d 172.16.190.143 --dport 5003 -j
ACCEPT

There are other things in it, and my last FORWARD line is a LOG one.

1.1.1.1 (fake ip) is the ext. ip of the box (eth0)
1.1.2.x are ips routed by the box.
172.16.190.x are internal ips (eth1)


DNAT to 172.16.190.5, port 80 works fine.
DNAT to 172.16.190.143, port 5003 is not.

In /proc/net/ip_conntrack, I see :

tcp      6 118 SYN_SENT src=x.x.x.x dst=x.x.x.x sport=49502 dport=5003
[UNREPLIED] src=172.16.190.143 dst=x.x.x.x sport=5003 dport=49502 use=1

With iptables -nvL, I see packet counter rising for the 2 rules concerning
port 5003

On the 172.16.190.143 box, wich is a mac os x box, with netstat -an | grep
5003, I see :

tcp4       0      0  172.16.190.143.5003    x.x.x.x.62382          SYN_RCVD
tcp4       0      0  172.16.190.143.5003    172.16.190.153.49342
ESTABLISHED
tcp4       0      0  127.0.0.1.5003         127.0.0.1.49184
ESTABLISHED
tcp4       0      0  127.0.0.1.49184        127.0.0.1.5003
ESTABLISHED
tcp4       0      0  *.5003                 *.*                    LISTEN

I see nothing being logued.

I tried removing port selection as in :

-A PREROUTING -i eth0 -d 1.1.2.3 -j DNAT --to-destination 172.16.190.143
-A FORWARD -i eth0 -o eth2 -d 172.16.190.143 -j ACCEPT

Still the same thing.

What am I missing ?
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux