Port forwarding with translation?

[wpns]

I've got a Centos 5.4 box with a 2.6.18 kernel and two Ethernet interfaces.

eth0 is the primary, 192.168.201.50, gateway 192.168.201.1

eth1 is connected to another subnet for port forwarding only, it's 192.168.200.10, and has no gateway.

This seems to work, I can see the http server from both networks, and the box gets out to the Internet via eth0 as it should.

I want to do a bunch of things like:

If a connection comes in to eth1, to 192.168.200.10, on port 54321, I want that connection forwarded to a separate device on eth0, 192.168.201.51, port 80

I've got a script I've been fiddling with that does:

# load the NAT module
modprobe iptable_nat

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush

iptables -A FORWARD -j LOG

iptables --append PREROUTING --table nat --proto tcp --in-interface eth1 --destination 192.168.200.10 --dport 54321 --sport 1024:65535 --jump DNAT --to-destination 192.168.201.51:80

iptables --append FORWARD --proto tcp --in-interface eth1 --destination 192.168.201.51 --dport 80 --sport 1024:65535 --match state --state NEW --out-interface eth0 --jump ACCEPT

iptables --append FORWARD --table filter --out-interface eth1 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT

iptables --append FORWARD --table filter --in-interface eth1 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT

iptables --list

but it doesn't seem to work. I'm getting messages along the lines of:

May 15 09:57:37 camsrv01 kernel: IN=eth1 OUT=eth0 SRC=192.168.200.200 DST=192.168.201.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=8919 DF PROTO=TCP SPT=1232 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

in /var/log/messages

Any idea what I'm doing wrong?

Thanks!

[Lazydog]

What is the output of the following command;

Code:

iptables -L

Usue the CODE tags to keep the format please.

[wpns]

What is the output of the following command;

Code:

iptables -L

Usue the CODE tags to keep the format please.

[

Code:

root@camsrv01 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level warning 
ACCEPT     tcp  --  anywhere             192.168.201.51      tcp spts:1024:65535 dpt:http state NEW 
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@camsrv01 ~]#

[Lazydog]

OK, I've just looked at your log file part that you posted. Why are you thinking it is not working? It set the destination address to what you want and also the port.

[wpns]

Well, when I point a browser on a computer (192.168.200.200) on the eth1 LAN at the box, I can see the default WWWebsite at 192.168.200.10, but I get a timeout when pointing at 192.168.200.10:54321, and I get three instances of:

Code:

May 21 20:24:48 camsrv01 kernel: IN=eth1 OUT=eth0 SRC=192.168.200.200 DST=192.168.201.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=205 DF PROTO=TCP SPT=1053 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

in /var/log/messages

[I just confirmed that I can see 192.168.201.51 from a machine on the eth0 LAN]

In the system log on the destination machine (192.168.200.51, an IP camera) the logs says this under network connections:

Code:

tcp        0      0 192.168.201.51:80                                   192.168.200.200:1062                                SYN_RECV

so it looks like the connection request is getting through, but it doesn't appear to come from 192.168.201.50, which means the response won't go back that way, but instead out the default gateway to the Internet, where it won't be routed...

How do I configure it so it's doing NAT from eth1 to eth0? I thought the DNAT was doing that, but I guess I don't understand this as well as I should.

Thanks for the replies, BTW, I know how thankless it is to help newbies.

[Lazydog]

OK, since your default policy is to ACCEPT everything, the only real rule you need is the one that does the translation. So give the following a try:

Code:

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush
iptables -t nat -A PREROUTING p tcp -i eth1 -d 192.168.200.10 --dport 54321 -j DNAT --to-destination 192.168.201.51:80
iptables -A FORWARD -j LOG

Here is a TUTORIAL for IPTABLES. Some light reading

[wpns]

OK, since your default policy is to ACCEPT everything, the only real rule you need is the one that does the translation. So give the following a try:

Code:

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush
iptables -t nat -A PREROUTING p tcp -i eth1 -d 192.168.200.10 --dport 54321 -j DNAT --to-destination 192.168.201.51:80
iptables -A FORWARD -j LOG

OK, I tried that, and still get the same messages in /var/log/messages, the same timeout on the browser, and the same SYN_RECV at the camera.

If the source address that the camera sees isn't on the LAN the camera is on, isn't it going to send it's reply out the default gateway for it's LAN (which has nothing to do with the other LAN)?

Here is a TUTORIAL for IPTABLES. Some light reading

I'm working my way through the tutorial, and it looks like in addition to the DNAT I also need to do a SNAT to rewrite the source address, but is that the same as Masquerading?

Thanks!

[wpns]

And there's a similar line in /proc/net/ip_conntrack like:

Code:

tcp      6 116 SYN_SENT src=192.168.200.200 dst=192.168.200.10 sport=1074 dport=54321 packets=2 bytes=96 [UNREPLIED] src=192.168.201.51 dst=192.168.200.200 sport=80 dport=1074 packets=0 bytes=0 mark=0 secmark=0 use=1

If that helps any...

[Lazydog]

I'm working my way through the tutorial, and it looks like in addition to the DNAT I also need to do a SNAT to rewrite the source address, but is that the same as Masquerading?

Thanks!

SNAT isn't needed as the DNAT should be tracking the translations. Masquerading is only needed when you leave your private network and go onto the Public Internet.

[wpns]

OK, still only 1/4 way through the tutorial, so I'm probably using the wrong terminology.

The request from 192.168.200.200 goes to 192.168.200.10:54321 and appears to get properly translated to 192.168.201.51:80

However, since we didn't rewrite the source address, 192.168.201.51 thinks the request came from 192.168.200.200, and can't get back to the 192.168.200.200 machine with it's response.

Note that the 192.168.200.10 (eth1), 192.168.201.50(eth0) machine is only a port forwarding 'gateway' between the two subnets, it's not the default gateway for either network.

or am I lost in some other way?

Thanks!