'Re: FAQ: Cannot port forward/DNAT'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: FAQ: Cannot port forward/DNAT
From:       /dev/rob0 <rob0 () gmx ! co ! uk>
Date:       2012-08-08 20:08:12
Message-ID: 20120808200812.GJ3672 () harrier ! slackbuilds ! org
[Download RAW message or body]

On Wed, Aug 08, 2012 at 01:07:59PM -0400, Mauricio Tavares wrote:
>       This is a trivial question; I have done this many times before,
> but I must be missing something here and just can't see what. So, I
> have a firewall where eth0 faces the external network
> (192.168.42.0/24) and eth1 the internal one (10.0.0.0/24). Now, I want

First off, you should never NAT from one RFC 1918 network to another. 
Simply set up proper routing on both sides and enjoy.

> to have a machine in the external net access, through port 2424, host
> 10.0.0.20 in internal network, at the same port since I am lazy. So I
> have
> 
> iptables -A FORWARD -i eth0 -o eth1 -m comment --comment "internet
> (eth0) to internal subnet (eth1) " -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp -m tcp --dport 2424 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 2424 -j DNAT
> --to-destination 10.0.0.20:2424

Why not just directly connect to this 10.0.0.20:2424 ? What is the 
purpose of the DNAT?

> And I am not detecting any traffic on that port in 10.0.0.20 (I used
> netcat to listen at that port). Could the rest of my firewall rules be
> interfering with that? Or could it be something else; they are all in
> a vm server, so I want to verify first my iptable rules make sense.
> 
> For the sake of completeness, I have included my current firewall rules below:
> 
> # Generated by iptables-save v1.4.10 on Wed Aug  8 11:38:31 2012
> *mangle
> :PREROUTING ACCEPT [1367372:206923329]
> :INPUT ACCEPT [660972:49675926]
> :FORWARD ACCEPT [706400:157247403]
> :OUTPUT ACCEPT [658176:163253429]
> :POSTROUTING ACCEPT [1364576:320500832]
> COMMIT
> # Completed on Wed Aug  8 11:38:31 2012
> # Generated by iptables-save v1.4.10 on Wed Aug  8 11:38:31 2012
> *nat
> :PREROUTING ACCEPT [660101:48069054]
> :INPUT ACCEPT [643521:47000112]
> :OUTPUT ACCEPT [8489:647170]
> :POSTROUTING ACCEPT [8489:647170]
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 2424 -j DNAT
> --to-destination 10.0.0.20:2424
> -A POSTROUTING -s 10.0.0.0/24 -o eth0 -m comment --comment "NAT for
> internal network" -j SNAT --to-source 192.168.42.90
> -A POSTROUTING -m comment --comment "Loopback support" -m mark --mark
> 0xd001 -j SNAT --to-source 192.168.42.90
> COMMIT
> # Completed on Wed Aug  8 11:38:31 2012
> # Generated by iptables-save v1.4.10 on Wed Aug  8 11:38:31 2012
> *filter
> :INPUT DROP [2564:82048]
> :FORWARD DROP [0:0]

Nothing is hitting this policy. Probably because you ACCEPT 
everything in the FORWARD chain.

> :OUTPUT ACCEPT [8489:647170]
> :SERVICES - [0:0]
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m comment
> --comment "Allow existing connections or their relatives" -j ACCEPT
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec
> -m comment --comment "Only allow 1 ping per sec" -j ACCEPT
> -A INPUT -i lo -m comment --comment "allow all localhost traffic" -j ACCEPT
> -A INPUT -s 10.0.0.0/24 -m comment --comment "Allow internal network
> traffic" -j ACCEPT
> -A INPUT -j SERVICES
> -A INPUT -i eth0 -p tcp -m tcp --dport 2424 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment
> "always allow related/established connections" -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m comment --comment "internet (eth0) to
> internal subnet (eth1) " -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -m comment --comment "internal subnet
> (eth1) to internet (eth0)" -j ACCEPT
> -A FORWARD -i eth1 -o eth1 -m comment --comment "allow stuff looping
> back to itself on internal subnet" -j ACCEPT
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "SSH Server
> (sshd)" -j ACCEPT
> COMMIT
> # Completed on Wed Aug  8 11:38:31 2012
> 
> 
> sysctl -p
> net.ipv4.ip_forward = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0

You put enough information here to say definitely that the firewall 
isn't blocking this traffic. I'm guessing that what you missed is 
that return packets are not SNATed. See the Frozentux iptables 
tutorial DNAT page for a detailed discussion of this.

But no, don't SNAT. As above, when your routing is right, you can 
directly connect to 10.0.0.20:2424 from hosts in the 192.168.42.0/24 
segment.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic