NAT not working

[QatQat]

Hi there,

I am trying to redirect RADMIN service to a windoz box on the LAN

linux router with ADSL connection (ppp0) and RH9

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4899 -j DNAT --to-destination 10.x.x.x:4899

This rule is accepted with no errors but just does not do anything.
I had to upgrade IPTABLES to 1.2.9 as it was complaining
"nat table not existing "
to check that my nat module was working I masqueraded internal addresses to share ADSL connection and it worked.

What can be wrong?

Thanks


QatQat

Life is what happens when you are making other plans.

 

[zeland]

Are you forwarding the packet after DNAT'ing it?


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[QatQat]

DO you mean another rule in FORWARD chain?

Do I need it? I am running just the above rule in a Fedora Box and it seems sufficient. Would RH9 be different?


Thanks

QatQat

Life is what happens when you are making other plans.

 

[zeland]

Yes, you need another forward rule. But this time, the rule will be based on the DNAT'ed value. i.e:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4899 -j DNAT --to-destination 10.0.0.20:4899
iptables -A FORWARD -p tcp -d 10.0.0.20 --dport 4899 -j ACCEPT

When a packet arrives at your interface, you system will determine if the packet is for the local machine or not. If a packet is destined for the local machine, then the packet is sent to the INPUT chain, else it's sent to the FORWARD chain (if forwarding is enabled). So, if the DNAT'ed packet gets sent to the FORWARD chain and it doesn't mach any of the rules in the FORWARD chain, it may simply be droped.


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[QatQat]

Thanks zeland,


still no luck;
I am thinking that my iptables module is not working correctly; is there a way to check if it does have problems?

thanks

QatQat

Life is what happens when you are making other plans.

 

[QatQat]

Hi zeland,

actually my fedora box works well using only the nat/PREROUTING rule.
If I pass the forward rule you recommended it then stops forwarding the packets to the windoz box.

Why would fedora behave differently?

Cheers

Qatqat

Life is what happens when you are making other plans.

 

[zeland]

I guess you did not set a default drop-all policy for your chains so packets just march on through. It's recommended to have a default policy of drop-all, then explicitly allow certain packets through. You might want to do this at the beginning of your iptables script:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


Then, at the end of your script put in a LOG target.
iptables -A FORWARD -p all -j LOG

This way, nothing gets past your firewall without you knowing it. Also, this servers as a starting point to track illegal access into your network and helps you to trace any screwy rules that you may have setup.


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[QatQat]

Very right.

Thanks for the advice.

In that case I will have to create a new chain that includes INPUT and FORWARD otherwise I will have to specifically let any packet through writing two rules.


Thanks again.

QatQat






Life is what happens when you are making other plans.