[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Can't DNAT with iptables
I've setup a test environment to develop an iptables script. I can do
SNAT fine ("Last login from ..." tells me that SNAT is working fine),
but I can't do DNAT (translate external IP 100.1.1.106 to internal IP
192.168.1.106, port 22). I have a router and a firewall on each side,
all with RH7.3, and can successfully ssh into each firewall from a
client machine behind the firewall on the other side of the router, so I
know my routing is working. When I try to ssh into 100.1.1.106 from the
client behind the 100.2.2.2 firewall I get a 'no route to host'
message.
Here are some pertinent lines, in order, from my script:
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
IPTABLES=/sbin/iptables
$IPTABLES --flush
$IPTABLES --flush -t nat
$IPTABLES --delete-chain
$IPTABLES --delete-chain -t nat
< set INPUT, OUTPUT, FORWARD policies to DROP >
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
# Destination NAT
$IPTABLES -t nat -A PREROUTING -i eth1 -d 100.1.1.106 -p tcp --dport 22
\
-j DNAT --to 192.168.1.106:22
-> Here's a listing of the nat rules when this rule is in place:
# /sbin/iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 100.1.1.106 tcp dpt:ssh
to:192.168.1.106:22
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.1.0/24 anywhere to:100.1.1.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Any ideas?
--
Dan Fleischer
Systems Administrator
Bank & Trust Co.
401 N. Madison St.
Litchfield, IL 62056
Ph. 217-324-3935
http://www.bank-and-trust.com
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.