SNAT/DNAT: Why packets traverse INPUT-chain???

Hamppu Ratanen hamppuratanen@hotmail.com
Mon, 30 Jul 2001 19:37:45 +0000 

Hi,

After trying nearly everything possible I have to ask this question here.

My ISP gives me 4 static IPs. I have 3 machines, one of them is Linux box 
with 2.4.6 kernel. Here is a diagram of my setup:

------------------------------------------------
ADSL-modem             IP-address 10.xxx.yyy.153
Linux Box        eth1  IP-address 10.xxx.yyy.155
                 eth0  IP-address 192.168.0.1
WinDOHs box #1         IP-address 192.168.0.100
WinDOHs box #2         IP-address 192.168.0.101
------------------------------------------------

What I want is to have WinBox#1 to NAT to 10.xxx.yyy.157 (one of my static 
IP's)
and WinBox#2 to NAT to 10.xxx.yyy.158. This is what I think I have 
accomplished as I am able to browse the net, use FTP etc. from the WinBoxes. 
I am even able to play Starcraft from the WinBoxes (in the same game) but I 
am NOT able to host a game of Starcraft, which annoys me greatly ;).

I used tcpdump and checked my firewall logs and it seems that packets that 
should be NATted to either one of the WinBoxes (hosting the Starcraft game) 
hit the rules in my INPUT-chain and not FORWARD-chain? Opening the ports 
Starcraft uses in the INPUT-chain did not solve the problem.

So my question is: what am I doing wrong? Why are the packets coming from 
internet hit the INPUT-chain?

Here is a clip of the scripts I am using:
----------------------------------------------------------------------------------
$IT -t nat -A POSTROUTING -o $EXTIF -j SNAT -s 192.168.0.100 --to 
10.xxx.yyy.156
$IT -t nat -A POSTROUTING -o $EXTIF -j SNAT -s 192.168.0.101 --to 
10.xxx.yyy.157

$IT -t nat -A PREROUTING -i $LANIF -j DNAT -d 10.xxx.yyy.156 --to 
192.168.0.100
$IT -t nat -A PREROUTING -i $LANIF -j DNAT -d 10.xxx.yyy.157 --to 
192.168.0.101

ip address add 10.xxx.yyy.156 dev eth1
ip address add 10.xxx.yyy.157 dev eth1

$IT -A FORWARD -j ACCEPT -i $EXTIF -d $LANIP -p tcp --dport 4000
$IT -A FORWARD -j ACCEPT -i $EXTIF -d $LANIP -p udp --dport 4000
$IT -A FORWARD -j ACCEPT -i $EXTIF -d $LANIP -p tcp --dport 6112:6119
$IT -A FORWARD -j ACCEPT -i $EXTIF -d $LANIP -p udp --dport 6112:6119
----------------------------------------------------------------------------------

Thanks in advance!

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp