IP addresses and DNAT

Q I've been banging my head against this one for weeks now. Four years ago I managed to get a machine to DNAT and now I can't do it at all! At the most basic level, I'm trying this code:

Internet external ip on firewall = 10.x.x.5
Machine on inside of firewall = 192.168.1.2

The firewall can access the http server on the internal machine via port 80 without any problems, so I tried this:

insmod iptable_nat
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ip_forward
iptables -t nat -A PREROUTING -d
10.x.x.5 -p tcp --dport 80 -j DNAT --
to 192.168.1.5:80

And nothing happens. I've tried many variations of source IP, interfaces and so on, but none of them seem to work. Can you tell me how to get things working?

A The first stage in any DNAT configuration is to ensure that the IP configuration on the firewall is correct, and in this case, 10.x.x.5 should be bound to the outside interface on the firewall as either an interface or an alias. Opening up ICMP traffic on the firewal and pinging the outside IP from a system will help in ensuring that the IP layer is happy. Of course, because the outside address is in the 10.0.0.0/8 range, it won't be available from the other side of the Internet, in which case the appropriate routable address should be used. The simplest way to debug any DNAT problem is to run 'tcpdump' on the outside interface of the firewall and review the packets that are dumped from the connections from the outside host. This will ensure that packets are being routed back and forth properly, and if a packet is seen going into the firewall but not back out again, you can work through the firewall configuration. Your information detailed the inside address as 192.168.1.2. However, you were DNATing to 192.168.1.5. Hopefully this is just a typo, although it's always a good idea to double-check all of the firewall rules to ensure that the IP addresses are correct.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar