Mailing List Archive: Port forwarding inside local domain

Port forwarding inside local domain

Aug 20, 2007, 7:11 AM

Post #1 of 4 (3427 views)

Hi,

just another question. Let my router be 192.168.7.33 with
interfaces eth0 and ppp0; then this works perfectly here:

# iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 \
-j DNAT --to 192.168.7.49:80

However, I want to request from inside my local domain the
same way. This seems to end in a drop or an infinite loop:

# iptables -t nat -A PREROUTING -d 192.168.7.33 -p tcp --dport 80 \
-j DNAT --to 192.168.7.49:80

Besides that I want to know what is going wrong here, I
further would like to ask how I could debug this.

Thanks in advance.

Bertram

--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de

Re: Port forwarding inside local domain [ In reply to ]

r.laban at ism

Aug 20, 2007, 7:34 AM

Post #2 of 4 (3285 views)

Permalink

On Monday 20 August 2007, Bertram Scharpf wrote:
> Hi,
>
> just another question. Let my router be 192.168.7.33 with
> interfaces eth0 and ppp0; then this works perfectly here:
>
> # iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 \
> -j DNAT --to 192.168.7.49:80
>
> However, I want to request from inside my local domain the
> same way. This seems to end in a drop or an infinite loop:
>
> # iptables -t nat -A PREROUTING -d 192.168.7.33 -p tcp --dport 80 \
> -j DNAT --to 192.168.7.49:80
>
> Besides that I want to know what is going wrong here,

You need to 'fix' the reply traffic, by using a rule like:
# iptables -t nat -A POSTROUTING -i eth0 -d 192.168.7.49 -p tcp --dport 80 \
-j SNAT --to 192.168.7.33

With recent kernels this can be done more elegantly by using the conntrack
module:
# iptables -t nat -A POSTROUTING -d 192.168.7.49 -m conntrack --ctorigdst \
192.168.7.49 -j SNAT --to 192.168.7.33

I never used the latter myself due to me working with older kernels mainly.

> I further would like to ask how I could debug this.

tcpdump and/or wireshark is/are your best friend(s).

HTH,
--
Ruben

Re: Port forwarding inside local domain [ In reply to ]

lists at bertram-scharpf

Aug 20, 2007, 12:10 PM

Post #3 of 4 (3335 views)

Permalink

Hi,

Am Montag, 20. Aug 2007, 16:34:31 +0200 schrieb Ruben Laban:
> On Monday 20 August 2007, Bertram Scharpf wrote:
> >
> > # iptables -t nat -A PREROUTING -d 192.168.7.33 -p tcp --dport 80 \
> > -j DNAT --to 192.168.7.49:80
> >
> > Besides that I want to know what is going wrong here,
>
> You need to 'fix' the reply traffic, by using a rule like:
> # iptables -t nat -A POSTROUTING -i eth0 -d 192.168.7.49 -p tcp --dport 80 \
> -j SNAT --to 192.168.7.33

iptables v1.3.5: Can't use -i with POSTROUTING

> With recent kernels this can be done more elegantly by using the conntrack
> module:
> # iptables -t nat -A POSTROUTING -d 192.168.7.49 -m conntrack --ctorigdst \
> 192.168.7.49 -j SNAT --to 192.168.7.33

Seems it's "... --ctorigdst 192.168.7.33 -j ...".

Works fine. Thanks!

Bertram

--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de

Re: Port forwarding inside local domain [ In reply to ]

r.laban at ism

Aug 20, 2007, 11:57 PM

Post #4 of 4 (3295 views)

Permalink

On Monday 20 August 2007, Bertram Scharpf wrote:
> Am Montag, 20. Aug 2007, 16:34:31 +0200 schrieb Ruben Laban:
> > You need to 'fix' the reply traffic, by using a rule like:
> > # iptables -t nat -A POSTROUTING -i eth0 -d 192.168.7.49 -p tcp --dport
> > 80 \ -j SNAT --to 192.168.7.33
>
> iptables v1.3.5: Can't use -i with POSTROUTING
>
> > With recent kernels this can be done more elegantly by using the
> > conntrack module:
> > # iptables -t nat -A POSTROUTING -d 192.168.7.49 -m conntrack
> > --ctorigdst \ 192.168.7.49 -j SNAT --to 192.168.7.33
>
> Seems it's "... --ctorigdst 192.168.7.33 -j ...".

Two 'stupid' mistakes indeed. Guess I should've reviewed my own posts a little
more.

> Works fine. Thanks!

Glad it worked out for you afterall.

Regards,
--
Ruben