[lug] iptables help

Dan Ferris dan at usrsbin.com
Sun Oct 21 14:14:04 MDT 2012 

I think --to and --to-destination are the same thing.

I have forwarding turned on for all interfaces globally by doing echo 1 
 > /proc/sys/net/ipv4/ip_forward

I don't have any rules in the forward chain of the filter table. There's 
no point, it's set to globally accept.

Weird...

Dan

On 10/21/2012 12:44 AM, Lee Woodworth wrote:
> 1) I've been using --to-destination in DNAT rules.
>
> 2) Does enabling forwarding on a pair of interfaces automatically cause packets
>     between them to be forwarded? If not, then maybe you need forwards in
>     the FORWARD chain of the filter table.
>
>     I happen to have:
>
>     /proc/sys/net/ipv4/conf/<if1>/forwarding = 1
>     /proc/sys/net/ipv4/conf/<if2>/forwarding = 1
>
>     *filter
>     -A FORWARD   -i <if1> -o <if2> -p tcp -d <int-addr> --dport <port> -j ACCEPT
>     -A FORWARD   -i <if2> -o <if1> -p tcp -s <int-addr> --sport <port> -j ACCEPT
>
>     *nat
>     -A PREROUTING -i <if1> -p tcp -d <ext-addr> --dport <port> -j DNAT
> 	--to-destination <int-addr>:<port>
>
>     Which works in our environment.
>
>
> On 10/20/12 22:59, Dan Ferris wrote:
>> Does anyone know offhand why in the name of holy khutulu something this
>> simple won't just work:
>>
>>    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
>> 127.0.0.1:4443
>>
>> ip_forward is turned on.  I even added a route in the routing table:
>>
>> route -n
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref Use Iface
>> 0.0.0.0         192.168.108.1   0.0.0.0         UG    100 0        0 eth0
>> 127.0.0.0       0.0.0.0         255.0.0.0       U     0 0        0 lo
>> 192.168.108.0   0.0.0.0         255.255.252.0   U     0 0        0 eth0
>>
>> No firewall rules at all:
>>
>> Chain INPUT (policy ACCEPT 75M packets, 5387M bytes)
>>    pkts bytes target     prot opt in     out     source destination
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>    pkts bytes target     prot opt in     out     source destination
>>
>> Chain OUTPUT (policy ACCEPT 72M packets, 55G bytes)
>>    pkts bytes target     prot opt in     out     source destination
>>
>> Yet no matter what I do, the process listening on lo never sees any of
>> the redirected traffic.
>>
>> It's so irritating something so stupidly easy isn't working.  Not to
>> mention I feel like an idiot.
>>
>> If anyone has some brilliant ideas, I'm open to suggestions.
>>
>> Dan
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list