Re: forwarding iptable packets

2006-02-01 Thread anoop aryal 
On Wednesday 01 February 2006 01:18 am, Edward Shornock wrote:
 On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon  Miller wrote:
  I'm having a major problem trying to forward packets from either a
  workstation of the LAn to the Internet.  I want to be sure I'm doing
  this correctly.
 
  I set a forward rule:
  $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
 
  Then I set a PREROUTING rule
  $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
  --to-destination 192.168.xxx.xxx
 
  All I can see using tethereal on the network is SYN packets.
 
  Any idea what I'm doing wrong?

 try
 $IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
 --to-destination 192.168.xxx.xxx

 The forward rule looks OK.

if it's *from* the LAN *to* the internet, shouldn't it be:

if you have a static outside IP
$IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j DNAT 
--to-source $EXT_IP

or, if your outside IP is dhcp assigned
$IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j MASQUERADE

-anoop.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: forwarding iptable packets

2006-02-01 Thread anoop aryal 
On Wednesday 01 February 2006 11:32 am, anoop aryal wrote:
 On Wednesday 01 February 2006 01:18 am, Edward Shornock wrote:
  On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon  Miller wrote:
   I'm having a major problem trying to forward packets from either a
   workstation of the LAn to the Internet.  I want to be sure I'm doing
   this correctly.
  
   I set a forward rule:
   $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
  
   Then I set a PREROUTING rule
   $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
   --to-destination 192.168.xxx.xxx
  
   All I can see using tethereal on the network is SYN packets.
  
   Any idea what I'm doing wrong?
 
  try
  $IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
  --to-destination 192.168.xxx.xxx
 
  The forward rule looks OK.

 if it's *from* the LAN *to* the internet, shouldn't it be:

 if you have a static outside IP
 $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j DNAT
 --to-source $EXT_IP

woops, 
make that:
$IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j SNAT 
--to-source $EXT_IP


 or, if your outside IP is dhcp assigned
 $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j MASQUERADE

 -anoop.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: forwarding iptable packets

2006-02-01 Thread Edward Shornock 
On Wed, Feb 01, 2006 at 11:32:08AM -0600, anoop aryal wrote:
 if it's *from* the LAN *to* the internet, shouldn't it be:
[..]

Oops...I misread that.  Yeah, he's probably missing the SNAT or
MASQUERADE target if he's trying to get *out* to the Internet. If I
properly read the OP the first time, my reply would have been quite
different.

Assuming the OP wanted to forward ports from the *outside* to the
*inside*, something like this would work.

$IPT -t nat -A PREROUTING -p tcp -i $external_iface \
 -d $external_ip --dport 80 --sport 1024:65535 -j DNAT \
 --to $webserver:80
$IPT -A FORWARD -p tcp -i $external_iface -o $internal_iface \
 -d $webserver --dport 80 --sport 1024:65535 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo 1  /proc/sys/net/ipv4/ip_forward

...but even with the port forwarding you'd still need to do as anoop
suggested.

# Uncomment the following line if your external IP address is dynamic
# $IPT -t nat -A POSTROUTING -o $external_iface -j MASQUERADE
# Uncomment the following line if your external IP address is static
# $IPT -t nat -A POSTROUTING -o $external_iface -j SNAT --to-source $external_ip


signature.asc
Description: Digital signature

forwarding iptable packets

2006-01-31 Thread Jon Miller 
I'm having a major problem trying to forward packets from either a workstation 
of the LAn to the Internet.
I want to be sure I'm doing this correctly.

I set a forward rule:
$IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT

Then I set a PREROUTING rule 
$IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 
192.168.xxx.xxx

All I can see using tethereal on the network is SYN packets.

Any idea what I'm doing wrong?

Thanks

Re: forwarding iptable packets

2006-01-31 Thread Edward Shornock 
On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon  Miller wrote:
 I'm having a major problem trying to forward packets from either a
 workstation of the LAn to the Internet.  I want to be sure I'm doing
 this correctly.

 I set a forward rule:
 $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
 
 Then I set a PREROUTING rule 
 $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 
 192.168.xxx.xxx
 
 All I can see using tethereal on the network is SYN packets.
 
 Any idea what I'm doing wrong?

try
$IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
--to-destination 192.168.xxx.xxx

The forward rule looks OK.


signature.asc
Description: Digital signature