[Techtalk] iptables NAT forwarding...

Conor Daly conor.daly at oceanfree.net
Tue Jun 4 20:24:54 EST 2002


On Wed, May 29, 2002 at 10:07:29AM +1000 or so it is rumoured hereabouts, 
Malcolm Tredinnick thought:
> On Tue, May 28, 2002 at 10:38:43AM -0400, Walt wrote:
> > I'm kind of lost as to why this isn't working..
> > 
> > All I'm trying to do is forward a connection
> > to port 2346 on my server's external iface to
> > an internal computer on the same port.
> > 
> > My iptables command is simply this:
> > iptables -A INPUT -p udp --dport 2346 -d [EXT_IP] -j ACCEPT
> 
> Don't you want "-s [EXT_IP]" instead of -d here? As I understand your
> requirements, you want packets originating from the external address to
> be redirected.
 
No, that's correct since this is traffic coming in (via the external
interface) *to* the external IP address.  He could use a "-s
[TRUSTED_IPS]" to specify a set of IP addresses to allow connections from
rather than allowing connections from *any* Ip out there

> > iptables -A PREROUTING -t nat -p udp -i ppp0 --dport 2346 -j DNAT --to 
> > 10.0.0.9:2346
> > 
> > But the connection cannot be established and
> > when I 'nc -u -v -z localhost 2346' it tells me
> > connection refused.

the other thing you might be forgetting here is that the rule will trigger
for traffic coming in on the *external* interface only.  "nc localhost"
won't go near EXT_IP but will instead come through on 127.0.0.1.  To test
the rule you should do "nc -u -v -z EXT_IP 2346".  

It's my understanding (of ipchains anyhow) that you also need a reverse
rule to allow packets *back* to the external machine.  Is that also the
case for iptables?

iptables -A OUTPUT -p udp --sport 2346 -d [EXT_IP] -j ACCEPT

I've no idea if that syntax is correct (or even if it's in the correct
chain!) but it looks like my ipchains SSH rules:

    # ------------------------------------------------------------------

    # SSH server (22)
    # ---------------

    /sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  -s $MET_IE
--source-port $SSH_REMOTE_PORTS -d $IPADDR 22 -j ACCEPT -l

    /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR
22 -d $MET_IE --destination-port $SSH_REMOTE_PORTS -j ACCEPT

Where	EXTERNAL_INTERFACE is ppp0 (the internet connection)
	MET_IE is a trusted external IP address
	SSH_REMOTE_PORTS ="513:65535" 
	IPADDR is *my* ip address for the internet connection

Note one rule for each direction.  This is seperate to the rule for an SSH
client which looks like:

    # SSH client (22)"
    # ---------------
    /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  -s $IPADDR
$SSH_LOCAL_PORTS --destination-port 22 -j ACCEPT
 
Conor
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
  8:02pm  up 12 days,  5:20,  0 users,  load average: 0.08, 0.02, 0.01
Hobbiton.cod.ie
  8:04pm  up 12 days,  5:25,  3 users,  load average: 0.08, 0.06, 0.01



More information about the Techtalk mailing list