Re: [tlug] iptables and port-forwarding concerns

[Godwin Stewart <gstewart@example.com>]

On Wed, 21 Apr 2004 20:02:40 -0400, Josh Glover <tlug@example.com> wrote:

> Heh. I have never seriously thought you an idiot. I just get my jollies by
> poking fun at you when you give me a huge opening! ;)

Speaking of which...

> 192.168.0.0 - 192.168.1.1 in your subnet, right? Just making sure *I* am
> not making a stupid mistake! :)

*SPLORF!!*

It's OK now, you can pull your foot out of your mouth :)

> Right, don't MASQUERADE, first of all. Try this instead:
> 
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <IP>

Makes sense, but shouldn't that be "-o ppp0" since ppp0 is the 'net-facing
interface?

> You have things backwards.

Tell me about it...

> DNAT *must* be done pre-routing, with --from:
> 
> iptables -t nat -I PREROUTING 1 -i eth0 -p tcp -s 192.168.0.3 \
>   -d ! 192.168.0.0/23 -j DNAT --from 192.168.0.3:10000-10100

This doesn't make sense. You're saying:

Any TCP stuff ("-p tcp") coming in through eth0 ("-i eth0") from fly's IP
("-s 192.168.0.3") and meant for the outside world ("-d ! 192.168.0.0/23")
has to have the destination IP modified ("-j DNAT") so that it looks like
it's going to ports 10000-10100 of fly ("--from 192.168.0.3:10000-10100",
shouldn't that be "--to" anyway rather than "--from"?). In effect, it's
making TCP traffic from fly loop back on itself.

Having read the excellent documentation at the NAT HOWTO link you gave here:

> http://www.stearns.org/iptables/NAT-HOWTO.txt

I now understand that I have to point DNAT the other way round. More like:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10000:10100 \
  -j DNAT --to 192.168.0.3:10000-10100

There's no need to do SNAT for packets going the other way since netfilter
will remember how the inbound packets were mangled and will unmangle
outbound packets symetrically going back the other way. Reminder: the tcp
connection will be INITIATED BY THE REMOTE HOST (the Asterisk server), which
is why those ports on the laptop need to be accessible from the 'net in the
first place.

> This is not complete, but hopefully it corrects your misconceptions
> enough to get you started.

It did, thanks. And the HOWTO enabled me to pick holes in your corrections
too :)

> Get rid of masquerading altogether and do SNAT.

Will do.

I'm working on a new firewall script 'coz the old one needs updating anyway.

> >    or is the IP routing in the Linux kernel (2.4.25) smarter than that?
> 
> Bugger if I know. :)

It doesn't have to be smarter than that in fact. If the Asterisk server
can't contact me on port 10000 it'll try on 10001 etc. ad nauseum ad
run-out-of-portsium.

> >    should I be looking at full NAT instead in the first place?
> 
> Quoth the iptables(8) man page:

Yes, I saw that, but wondered if it mattered that much anyway given that IP
masquerading worked fine - you know, if it ain't broke don't fix it.

-- 
G. Stewart   --   gstewart@example.com -- gstewart@example.com
Registered Linux user #284683 (Slackware 9.0, Linux 2.6.5)
--------------------------------------------------------------
Why do people pay to go up tall buildings and then put money in
binoculars to look down at things on the ground?

Attachment: pgp00057.pgp
Description: PGP signature