Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 17
I've got a Centos 5.4 box with a 2.6.18 kernel and two Ethernet interfaces. eth0 is the primary, 192.168.201.50, gateway 192.168.201.1 eth1 is connected to another subnet for port forwarding ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    Port forwarding with translation?


    I've got a Centos 5.4 box with a 2.6.18 kernel and two Ethernet interfaces.

    eth0 is the primary, 192.168.201.50, gateway 192.168.201.1

    eth1 is connected to another subnet for port forwarding only, it's 192.168.200.10, and has no gateway.

    This seems to work, I can see the http server from both networks, and the box gets out to the Internet via eth0 as it should.

    I want to do a bunch of things like:

    If a connection comes in to eth1, to 192.168.200.10, on port 54321, I want that connection forwarded to a separate device on eth0, 192.168.201.51, port 80

    I've got a script I've been fiddling with that does:

    # load the NAT module
    modprobe iptable_nat

    # enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables --flush

    iptables -A FORWARD -j LOG

    iptables --append PREROUTING --table nat --proto tcp --in-interface eth1 --destination 192.168.200.10 --dport 54321 --sport 1024:65535 --jump DNAT --to-destination 192.168.201.51:80

    iptables --append FORWARD --proto tcp --in-interface eth1 --destination 192.168.201.51 --dport 80 --sport 1024:65535 --match state --state NEW --out-interface eth0 --jump ACCEPT

    iptables --append FORWARD --table filter --out-interface eth1 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT

    iptables --append FORWARD --table filter --in-interface eth1 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT

    iptables --list

    but it doesn't seem to work. I'm getting messages along the lines of:

    May 15 09:57:37 camsrv01 kernel: IN=eth1 OUT=eth0 SRC=192.168.200.200 DST=192.168.201.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=8919 DF PROTO=TCP SPT=1232 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

    in /var/log/messages

    Any idea what I'm doing wrong?

    Thanks!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What is the output of the following command;

    Code:
    iptables -L
    Usue the CODE tags to keep the format please.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    Quote Originally Posted by Lazydog View Post
    What is the output of the following command;

    Code:
    iptables -L
    Usue the CODE tags to keep the format please.
    [
    Code:
    root@camsrv01 ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            LOG level warning 
    ACCEPT     tcp  --  anywhere             192.168.201.51      tcp spts:1024:65535 dpt:http state NEW 
    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    [root@camsrv01 ~]#

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, I've just looked at your log file part that you posted. Why are you thinking it is not working? It set the destination address to what you want and also the port.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    Well, when I point a browser on a computer (192.168.200.200) on the eth1 LAN at the box, I can see the default WWWebsite at 192.168.200.10, but I get a timeout when pointing at 192.168.200.10:54321, and I get three instances of:

    Code:
    May 21 20:24:48 camsrv01 kernel: IN=eth1 OUT=eth0 SRC=192.168.200.200 DST=192.168.201.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=205 DF PROTO=TCP SPT=1053 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
    in /var/log/messages

    [I just confirmed that I can see 192.168.201.51 from a machine on the eth0 LAN]

    In the system log on the destination machine (192.168.200.51, an IP camera) the logs says this under network connections:
    Code:
    tcp        0      0 192.168.201.51:80                                   192.168.200.200:1062                                SYN_RECV
    so it looks like the connection request is getting through, but it doesn't appear to come from 192.168.201.50, which means the response won't go back that way, but instead out the default gateway to the Internet, where it won't be routed...

    How do I configure it so it's doing NAT from eth1 to eth0? I thought the DNAT was doing that, but I guess I don't understand this as well as I should.

    Thanks for the replies, BTW, I know how thankless it is to help newbies.

  7. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, since your default policy is to ACCEPT everything, the only real rule you need is the one that does the translation. So give the following a try:

    Code:
    # enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables --flush
    iptables -t nat -A PREROUTING p tcp -i eth1 -d 192.168.200.10 --dport 54321 -j DNAT --to-destination 192.168.201.51:80
    iptables -A FORWARD -j LOG
    Here is a TUTORIAL for IPTABLES. Some light reading

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #7
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    No real change

    Quote Originally Posted by Lazydog View Post
    OK, since your default policy is to ACCEPT everything, the only real rule you need is the one that does the translation. So give the following a try:

    Code:
    # enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables --flush
    iptables -t nat -A PREROUTING p tcp -i eth1 -d 192.168.200.10 --dport 54321 -j DNAT --to-destination 192.168.201.51:80
    iptables -A FORWARD -j LOG
    OK, I tried that, and still get the same messages in /var/log/messages, the same timeout on the browser, and the same SYN_RECV at the camera.

    If the source address that the camera sees isn't on the LAN the camera is on, isn't it going to send it's reply out the default gateway for it's LAN (which has nothing to do with the other LAN)?

    Here is a TUTORIAL for IPTABLES. Some light reading
    I'm working my way through the tutorial, and it looks like in addition to the DNAT I also need to do a SNAT to rewrite the source address, but is that the same as Masquerading?

    Thanks!

  9. #8
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    More info?

    And there's a similar line in /proc/net/ip_conntrack like:

    Code:
    tcp      6 116 SYN_SENT src=192.168.200.200 dst=192.168.200.10 sport=1074 dport=54321 packets=2 bytes=96 [UNREPLIED] src=192.168.201.51 dst=192.168.200.200 sport=80 dport=1074 packets=0 bytes=0 mark=0 secmark=0 use=1
    If that helps any...

  10. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by wpns View Post
    I'm working my way through the tutorial, and it looks like in addition to the DNAT I also need to do a SNAT to rewrite the source address, but is that the same as Masquerading?

    Thanks!
    SNAT isn't needed as the DNAT should be tracking the translations. Masquerading is only needed when you leave your private network and go onto the Public Internet.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  11. #10
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    OK, still only 1/4 way through the tutorial, so I'm probably using the wrong terminology.

    The request from 192.168.200.200 goes to 192.168.200.10:54321 and appears to get properly translated to 192.168.201.51:80

    However, since we didn't rewrite the source address, 192.168.201.51 thinks the request came from 192.168.200.200, and can't get back to the 192.168.200.200 machine with it's response.

    Note that the 192.168.200.10 (eth1), 192.168.201.50(eth0) machine is only a port forwarding 'gateway' between the two subnets, it's not the default gateway for either network.

    or am I lost in some other way?

    Thanks!

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •