Complex (sort-of) IPtables DNAT

Complex (sort-of) IPtables DNAT

shimi linux-il at shimi.net
Fri Nov 18 13:09:24 IST 2011 

2011/11/18 Guy Tetruashvyly <guy.tet at gmail.com>

>  Greetings,
> this is an issue I've been struggling with for months now, didn't even
> make small headway .
>
> Scheme :
> LAN----Linux_X86_ROUTER----INTERNET , so far, very simple.
>
> I have a PPTP server that's on the LAN, and has a LAN IP address (only) .
> The Router is forwarding GRE and TCP port 1723 to that PPTP server, the
> router is using Netfilter/IPtables.
>
> The same issue, which I'll describe pretty soon, Happens with a phone
> system ( Asterisk) , that's on the LAN, which only has a LAN address, as
> well.
> And has UDP and TCP port 5060 forwarded to it , by the same router.
>
> Here is the syntax that I used in order to forward the ports, I'll only
> note one of the cases, the same applies to all other DNAT cases :
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 1723 -j DNAT
> –to-destination 10.12.35.8  >> DNAT's tcp:1723 to 10.12.35.8
> iptables -A FORWARD -p tcp -d 10.12.35.8 –dport 1723 -j ACCEPT    >>
> allows the forwarding action listed above .
>
> the forwarding works great, and I have phones and other PC's PPTP'ing and
> registering phones to my LAN from the wild .
>
> BUT !!
>
> The problem is with my LAN hosts, that, once the forwarding rules are
> applied,
> they are unable to use those services, if their destination host is
> outside of my LAN.
> Example :if I'll PPTP VPN with one of my LAN host to an outside address,
> it will actually VPN to my LAN PPTP server.
> This is understandable, due to the fact that the router will forward all
> traffic as it's commanded to,
> and it knows that all tcp:1723 and GRE go to host 10.12.35.8 ( same will
> be with SIP) .
>
>
There is some info missing, so I am going to take a guess here, and please
correct me if I'm wrong...

I understand from the NAT rule that you expect the traffic to come FROM
eth0 - i.e. this is the interface connected to "INTERNET" (how? do you have
an additional home/NAT router there?) - as otherwise it wouldn't do any NAT
work for traffic coming form the WAN (as it didn't come from eth0)...

So my question is this: If this is indeed the case, I would like you to
first understand your following statement:

"This is understandable, due to the fact that the router will forward all
traffic as it's commanded to,
and it knows that all tcp:1723 and GRE go to host 10.12.35.8 ( same will be
with SIP) ."

...which you said about traffic, that as far as I understand, came FROM THE
LAN, or in other words, _NOT_ FROM ETH0 - why would then an iptables rule
with -i eth0 apply to such traffic? This is NOT understandable whatsoever
(if I got all the facts you described right) - and needs an explanation.

This is an obvious one, but I'll ask anyways: Any chance you have OTHER
rules that may have caused this?

HTH,

-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20111118/7e558461/attachment.html>

More information about the Linux-il mailing list