Trying to set up NAT

Christoph Galuschka christoph.galuschka at tikom.at
Fri Apr 1 18:13:33 CEST 2005


Hello,

thanks Jörg for the help. It helped me solve the problem.

First I had to enable forwarding on the machine (echo 1 > 
/proc/sys/net/ipv4/ip_forward). Then I wrote four rules, one for 
postrouting and one for prerouting, and two for forwarding to 
and from the new destination.

And everything works :)

thanks any have a nice weekend.

Christoph


Am 1 Apr 2005 um 17:57, schrieb Jörg Harmuth:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Hi Christoph,
> 
> unfortunately you don't provide any information about your 
rule set.
> So this is only a wild guess.
> 
> I assume your ruleset looks something like this:
> 
> iptables -L -t nat:
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             anywhere            tcp \
> dpt:15000 to:10.1.1.2:80
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Also assuming, that a client - say 10.10.10.3 - tries to 
connect to
> 10.10.10.1:15000 you have a conntrack entry like this:
> 
> cat /proc/net/ip_conntrack | grep -i unreplied:
> tcp      6 80 SYN_SENT src=10.1.1.3 dst=10.1.1.1 
sport=1759 \
> dport=15000 [UNREPLIED] src=10.10.10.2 dst=10.10.10.3  
sport=80 \
> dport=1759 use=1
> 
> As you can see client 10.10.10.2 gets an answer package 
from
> 10.10.10.3 but expects the answer from 10.10.10.2. If this is 
your
> scenario you need SNAT too, eg:
> 
> iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.2 --
dport 80 -j SNAT \
> - --to 10.10.10.1
> 
> Another possibility is that you didn't allow this traffic in your
> FORWARD chain and the policy is DROP (REJECT). 
Something like this
> makes it work:
> 
> iptables -A FORWARD -p tcp -d 10.10.10.2 --dport 80 -m 
state --state \
> NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A FORWARD -p tcp -s 10.10.10.2 --sport 80 -m 
state --state \
> ESTABLISHED,RELATED -j ACCEPT
> 
> If you need further help, please post your rule-set.
> 
> HTH and have a nice time
> 
> Jörg
> 
> 
> Christoph Galuschka schrieb:
> 
> > Hello,
> >
> > I've tried the whole day setting up NAT and it won't work. I 
have
> > the follinwg situation: I have a proxy server (the machine 
running
> > NAT) and various other machines. I want the proxy server 
to NAT
> > some incoming connections to other machines. ie: A 
connection to
> > the proxy (10.1.1.1) on port 15000 should go to another 
machine
> > (10.1.1.2) on port 80 via the proxy. I have already 
managed a
> > locale NAT (meaning chaning ports ie from 15000 to 80 on 
the
> > proxy), but as soon as I try to DNAT to another machine it 
won't
> > work anymore.
> >
> > Any help would be apprechiated.
> >
> > thanks, happy weekend an regards Christoph
> >
> 
> 
> - --
> - -----------------------------------------------------------------------
> mnemon
> Jörg Harmuth
> Marie-Curie.Str. 1
> 53359 Rheinbach
> 
> Tel.: (+49) 22 26  87 18 12
> Fax:  (+49) 22 26 87 18 19
> mail: harmuth at mnemon.de
> Web:  http://www.mnemon.de
> PGP-Key: 
http://www.mnemon.de/keys/harmuth_mnemon.asc
> PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 
E48E 267B 204F
> - -----------------------------------------------------------------------
> Diese Mail wurde vor dem Versenden auf Viren und andere 
schädliche
> Software untersucht. Es wurde keine maliziöse Software 
gefunden.
> 
> This Mail was checked for virusses and other malicious 
software before
> sending. No malicious software was detected.
> - -----------------------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - 
http://enigmail.mozdev.org
>  
> 
iD8DBQFCTW9ot9fkjiZ7IE8RAvtQAKDz5Fx6w8Kb4ZGxPriU7
RCRBPPA+wCg6Ptk
> a6MktEG9Y9O0ZVoE2QSbkuY=
> =eoTF
> -----END PGP SIGNATURE-----
> 
> 




More information about the netfilter mailing list