iptables: redirecting packets inside a firewall

I have a simple ADSL router which has NAT/MASQ function and forwards
all incoming packets to my linux server. However I want some ports to
go to some of my other computers instead.

It has some simple built in rules for sending the NAT packets to other
computers, but these are so limited that I want to use iptables to do
it.

So, my linux server is not really NAT/MASQ since that is already
handled by the ADSL router.

Just for some ports I added a rule like:

iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5552:5553 \
-j DNAT --to-destination 192.168.0.5


The situation is:

internet --- ADSL router (NAT) --- internal net

My internal computers all have 1 ethernet interface, and have their
default gateway pointing to the ADSL router of course.

Now with traceroute I observed, when I tried to make a connection to
my external address (on the outside of the router) and port 5553, that
first it is sent to my linux server, which resends it to the second
computer.

My internal computer sends back an ACK, via the router directly (since
this is the default gateway).

However, the connection is not set up properly and nothing
happens. After a while the outside client times out.

Maybe the NAT/MASQ of the (zyxel) ADSL router is confused that it
forwards the incoming packet to one node, but receives the reply from
another one?

Is it impossible to do such a thing? Must one use a full "double NAT"
i.e. must the linux server be the default gateway for all other
internal hosts even if I only want to redirect a few of the incoming
ports. That seems rather wasteful since in that case all traffic from
other internal nodes to/from the internet is sent twice over the LAN,
and all of it is routed through the linux server for nothing.


--
Peter Mutsaers, Dübendorf, Switzerland.

Dans sa prose, pete nous ecrivait :
> Maybe the NAT/MASQ of the (zyxel) ADSL router is confused that it forwards
> the incoming packet to one node, but receives the reply from another one?

It can happens.
You should add a SNAT rule on your Linux box for redirected packets, such
as :

iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.5
\ --dport 5552:5553 -j SNAT --to $LOCAL_IP

Check if this work. If so, your router gets confused. If not, you have to
investigate further.

--
Moi je connais pas trop les ng techniquement s'il y a quelqu'un
qui s'y connait assez pour m'indiquer une personne qui s'occupe
des newsgroups et qui pourrait passer un coup de balai ici...
-+- AT in: Guide du Neuneu Usenet - Neuneu comme un balai -+-

Cedric Blancher <(E-Mail Removed)> writes:

> > Maybe the NAT/MASQ of the (zyxel) ADSL router is confused that it forwards
> > the incoming packet to one node, but receives the reply from another one?
>
> It can happens.
> You should add a SNAT rule on your Linux box for redirected packets, such
> as :

Yes that worked! Thanks.
So apparently I cannot receive packets via one way and return via
another: it confuses the NAT server inside the router.

Dans sa prose, pete nous ecrivait :
> Yes that worked! Thanks.

This "triangle" situation is a quite common issue that often occurs with
redirected ports or IP that you try to reach from within the LAN.

> So apparently I cannot receive packets via one way and return via
> another: it confuses the NAT server inside the router.

It is likely your NAT router perform NAPT, juts like ipchains used to. In
this situation, source port port is modified. So, when your final box
answers SYN-ACK to original client, source port is modified by the box and
original client receive this packet on the wrong port. SYN-ACK is then
dropped.

--
J'ai un numero local et je suis deconnecte toutes les 3 a 4 minutes
Merci FT que ne ferait cette sale entreprise pour pirater les nouveaux
FAI !!!!! Qu'en pense notre habitué Ronald ? le complot va t il durer ??
-+- Collectif in : GNU - FT complote contre les paraneuneuiques -+-