Re: forwarding iptable packets
On Wednesday 01 February 2006 01:18 am, Edward Shornock wrote: On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon Miller wrote: I'm having a major problem trying to forward packets from either a workstation of the LAn to the Internet. I want to be sure I'm doing this correctly. I set a forward rule: $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT Then I set a PREROUTING rule $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx All I can see using tethereal on the network is SYN packets. Any idea what I'm doing wrong? try $IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx The forward rule looks OK. if it's *from* the LAN *to* the internet, shouldn't it be: if you have a static outside IP $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-source $EXT_IP or, if your outside IP is dhcp assigned $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j MASQUERADE -anoop. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: forwarding iptable packets
On Wednesday 01 February 2006 11:32 am, anoop aryal wrote: On Wednesday 01 February 2006 01:18 am, Edward Shornock wrote: On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon Miller wrote: I'm having a major problem trying to forward packets from either a workstation of the LAn to the Internet. I want to be sure I'm doing this correctly. I set a forward rule: $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT Then I set a PREROUTING rule $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx All I can see using tethereal on the network is SYN packets. Any idea what I'm doing wrong? try $IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx The forward rule looks OK. if it's *from* the LAN *to* the internet, shouldn't it be: if you have a static outside IP $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-source $EXT_IP woops, make that: $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j SNAT --to-source $EXT_IP or, if your outside IP is dhcp assigned $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j MASQUERADE -anoop. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: forwarding iptable packets
On Wed, Feb 01, 2006 at 11:32:08AM -0600, anoop aryal wrote: if it's *from* the LAN *to* the internet, shouldn't it be: [..] Oops...I misread that. Yeah, he's probably missing the SNAT or MASQUERADE target if he's trying to get *out* to the Internet. If I properly read the OP the first time, my reply would have been quite different. Assuming the OP wanted to forward ports from the *outside* to the *inside*, something like this would work. $IPT -t nat -A PREROUTING -p tcp -i $external_iface \ -d $external_ip --dport 80 --sport 1024:65535 -j DNAT \ --to $webserver:80 $IPT -A FORWARD -p tcp -i $external_iface -o $internal_iface \ -d $webserver --dport 80 --sport 1024:65535 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT echo 1 /proc/sys/net/ipv4/ip_forward ...but even with the port forwarding you'd still need to do as anoop suggested. # Uncomment the following line if your external IP address is dynamic # $IPT -t nat -A POSTROUTING -o $external_iface -j MASQUERADE # Uncomment the following line if your external IP address is static # $IPT -t nat -A POSTROUTING -o $external_iface -j SNAT --to-source $external_ip signature.asc Description: Digital signature
forwarding iptable packets
I'm having a major problem trying to forward packets from either a workstation of the LAn to the Internet. I want to be sure I'm doing this correctly. I set a forward rule: $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT Then I set a PREROUTING rule $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx All I can see using tethereal on the network is SYN packets. Any idea what I'm doing wrong? Thanks
Re: forwarding iptable packets
On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon Miller wrote: I'm having a major problem trying to forward packets from either a workstation of the LAn to the Internet. I want to be sure I'm doing this correctly. I set a forward rule: $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT Then I set a PREROUTING rule $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx All I can see using tethereal on the network is SYN packets. Any idea what I'm doing wrong? try $IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx The forward rule looks OK. signature.asc Description: Digital signature