DNAT is not forwarding:

Fri, 05 Apr 2002 21:14:34 -0800 

Hi All:

Setup:

Rehat 7.2 Kernel 2.4.9-31 Iptables 1.2.4-0.71.2

        Go easy on me guys, I am a newbie to firewalls and iptables. I
have successfully written a script that SNAT's the internal network and
allows controlled access to the firewall machine from the outside. It seems
to be pretty tight. This worked fine on two different machines and networks
until I tried to port forward on one of the systems. I have been tearing my
hair out ever since.
        This seems to be a common problem on the discussion boards.
However, I haven't seen a solution. I am trying to forward a port into an
Internal machine. It  doesn't seem to matter which one, they don't work.
I have tried at least a dozen of the examples on the discussion board that
are
supposed to solve the problem with no success. If I do a iptables -v -L -t
nat
It shows the packets are being DNAT'ed. However, if I do a iptables -v -L
Forward
they do not appear to cross the Forward chain.
I have tried drop all on the Input chain, accept all on the Forward and
the Output chains, and the only nat rule is to DNAT everything to the
internal machine.
I manually loaded all the modules in advance to be sure they are loaded.
The script executes with no errors, and I have done it at the command line
as well.
No go.

MY QUESTION:

        Is there some problem with this combination that does not allow DNAT
forwarding?

Examples I have tried:

1)
#iptables -A OUTPUT -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to
10.42.42.:21 # ftp
#iptables -A FORWARD -p tcp -d ${OUTSIDE_IP} --dport 21 -o ${INSIDE_DEV} -j
ACCEPT

2)
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to
10.0.0.55:80
and at least a dozen more variations taken from discussion groups and
various how to pages.


        The authors claimed it worked for them, however none of them seem to work
for me. It seems to me that
the prerouting DNAT is sensible and then a forward rule to go with it. As I
mentioned above, the seem to DNAT fine,
but are being dropped in the Forward Chain.

        I would greatly appreciate some help and suggestions from someone who has
made this work.

Regards,


Stu...........

Reply via email to