iptables + masquerade + nat

I've been using Linux to protect my Windows machines for many years
now, but I have come to a point where I need to allow some ports in to
one of my Wndows machines for work-related activities. I've been
trying for several hours to get NAT to work with my current
masquerading setup, but with zero success. Hopefully someone out there
has some clues as to what I'm doing wrong and can point me in the
right direction.

I'm currently running Red Hat 9.0 with kernel 2.4.20-8 and here is my
config in /etc/sysconfig/iptables:

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT
:FORWARD DROP
:OUTPUT ACCEPT
:Filter -
-A INPUT -j Filter
-A FORWARD -j Filter
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -j LOG --log-prefix "forward-iptables: "
-A INPUT -j LOG --log-prefix "input-iptables: "
-A Filter -i lo -j ACCEPT
-A Filter -i eth1 -j ACCEPT
-A Filter -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-A Filter -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to
192.168.1.5:80
-A Filter -s 24.53.86.14 -p udp -m udp --sport 53 -j ACCEPT
-A Filter -s 24.53.86.13 -p udp -m udp --sport 53 -j ACCEPT
-A Filter -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT
--reject-with icmp-port-unreachable
-A Filter -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A Filter -p tcp --destination-port 25 -j REJECT --reject-with
icmp-port-unreachable
COMMIT

The line:
-t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to
192.168.1.5:80

is what is giving me the problems. When I run /etc/init.d/iptables
restart I get the following:

Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying iptables firewall rules: iptables-restore v1.2.7a: Line 22
seems to have a -t table option.

Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
[FAILED]

When I change the line to look like:
-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.5:80
I get the following:
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying iptables firewall rules: iptables-restore: line 22 failed
[FAILED]

Line 22 is the line with the DNAT in it. All of the tutorials that
I've come across pretty much tell me the same thing, but none of my
attempts to get NAT working has brought me success.

If anyone has any insight into what is going on, I would greatly
appreciate it.

--
John Evans

In article <(E-Mail Removed)>,
John <(E-Mail Removed)> wrote:
>I've been using Linux to protect my Windows machines for many years
>now, but I have come to a point where I need to allow some ports in to
>one of my Wndows machines for work-related activities. I've been
>trying for several hours to get NAT to work with my current
>masquerading setup, but with zero success. Hopefully someone out there
>has some clues as to what I'm doing wrong and can point me in the
>right direction.
>
>I'm currently running Red Hat 9.0 with kernel 2.4.20-8 and here is my
>config in /etc/sysconfig/iptables:

[snip]

Does your kernel have NAT enabled in all the right places?

-frank
--

On Fri, 6 Aug 2004 15:10:00 +0000 (UTC), (E-Mail Removed) (Frank
Miles) wrote:

>In article <(E-Mail Removed)>,
>John <(E-Mail Removed)> wrote:
>>I've been using Linux to protect my Windows machines for many years
>>now, but I have come to a point where I need to allow some ports in to
>>one of my Wndows machines for work-related activities. I've been
>>trying for several hours to get NAT to work with my current
>>masquerading setup, but with zero success. Hopefully someone out there
>>has some clues as to what I'm doing wrong and can point me in the
>>right direction.
>>
>>I'm currently running Red Hat 9.0 with kernel 2.4.20-8 and here is my
>>config in /etc/sysconfig/iptables:
>
>[snip]
>
>Does your kernel have NAT enabled in all the right places?
>

Yep. I checked that part of the config before I got started. I forgot
to mention it in my posting though.

Any other ideas?