2nd question in a day! :-) DNAT, this time..

Kevin Evans kevin@thewalledcity.net
Sat, 14 Jul 2001 17:55:08 +0100 

Hey folks... I'm struggling to understand this, and wondering if anyone
can help:

I telnet (from a box externally) to the external (ppp0) interface, port
6004 and - as expected - it eventually times out (the default policy on
the INPUT chain is to drop all but RELATED and ESTABLISHED packets).

I insert the following rule into my INPUT chain:

/usr/local/sbin/iptables -I INPUT -p tcp --dport 6004 -j ACCEPT

I then telnet (from a box externally) to the external (ppp0) interface,
port 6004. As expected, I get "Connection refused" - there's no service
listening on port 6004 on that box.

Then, I do:

/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -i ppp+ --dport
6004 -j DNAT --to 192.168.155.205:6004

If I telnet (from an external box) to the ppp0 interface, port 6004, it
now hangs forever. I get the same symptoms if I attempt this with any
other ports (e.g. 21 redirecting to 192.168.155.205:21, etc). The target
(192.168.155.205) box is listening on port 6004, and telnetting to it
internally on port 6004 does establish a connection, but no
external-origin connection ever arrives there. There doesn't seem to be
any actual forwarding going on, but the packets don't seem to end up
being processed (and refused due to the lack of a listening daemon)
locally on the NAT box, either.

Output of iptables -v -t nat -L:

Chain PREROUTING (policy ACCEPT 66 packets, 7483 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  ppp+   any     anywhere
anywhere           tcp dpt:6004 to:192.168.155.205:6004

Chain POSTROUTING (policy ACCEPT 10 packets, 1740 bytes)
 pkts bytes target     prot opt in     out     source
destination
   49  2843 MASQUERADE  all  --  any    ppp+    anywhere
anywhere

Chain OUTPUT (policy ACCEPT 49 packets, 4103 bytes)
 pkts bytes target     prot opt in     out     source
destination

And iptables -v -L

Chain INPUT (policy ACCEPT 11 packets, 560 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  any    any     anywhere
anywhere           tcp dpt:6004
  263 13340 ACCEPT     tcp  --  any    any     anywhere
anywhere           tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere
anywhere           tcp dpt:auth
    3   374 local      all  --  any    any     anywhere
anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 local      all  --  any    any     anywhere
anywhere

Chain OUTPUT (policy ACCEPT 1599 packets, 120090 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain local (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere           state RELATED,ESTABLISHED
    1   254 ACCEPT     all  --  !ppp+  any     anywhere
anywhere           state NEW
    2   120 DROP       all  --  any    any     anywhere
anywhere


Everything else (masquerading, firewalling, internal access outward,
etc) works fine. It's just the DNAT that doesn't seem to be working...
And I can't see any real reason why it wouldn't.

Cheers (again)

Kev

Kevin Evans - kevin@thewalledcity.net 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
www.thewalledcity.net - Free webmail
irc.irctoo.net - the IRCtoo chat net