Please Help on DNAT

[Denis Ducamp]

On Sun, Jul 30, 2000 at 10:46:42PM +0100, Lambert Antoine LOMBE wrote:
> Please help. My DNAT is not working at all. When I try to get my www or
> mail server from outside, they are not responding. I have one internet IP
> adress and wish to build in my lan a web and mail server with private IP
> adresses. This is what I put in my iptables chains from a script. Note tha
> the local lan interface is eth1 and the outside one is eth0 and that from
> the local net (192.168.1.0), all is working fine.
> 
> LNET=192.168.1.0/24
> LPC=209.198.243.17
> ANY 0.0.0.0/0
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -t nat -F PREROUTING
> iptables -t nat -F POSTROUTING
> iptables -t nat -F OUTPUT
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -s $LNET -d $ANY -j MASQUERADE
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d $LPC -j DNAT --to 192.168.1.2:80
> iptables -t nat -A PREROUTING -i eth0 -p udp --dport 80 -d $LPC -j DNAT --to 192.168.1.2:80

HTTP doesn't need any udp packet...

> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -d $LPC -j DNAT --to 192.168.1.3:25
> 
> Please, what is not going on in my script ?

You have to allow the protocol from outside to inside :

iptables -A FORWARD -i eth0 -p tcp --dport 25 -d 192.168.1.3 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

and to say linux to route packets :

echo 1 > /prox/sys/net/ip_forward

Denis Ducamp.

-- 
Denis.Ducamp@hsc.fr -- Hervé Schauer Consultants -- http://www.hsc.fr/