Re: Simple IP-Forwarding problem

[Marc Mueller <spam@gmx.de>]

Hi Dave,
thank you for your quick response.

I have tried your suggestion, but the connection still does not work.
I think the Problem is the path from the destination-server back to the 
client.

I'm no expert, so correct me if I'm wrong but as far as I know DNAT 
rewrites only the destination Adress, but the source adress stays the 
same - and at the time where the destination-server tries to send a 
response to the source-adress (still my pc) the connection can not be 
established, due to firewall restrictions.


My PC (50.0.0.1)     Server (100.0.0.1)   Destination (150.0.0.1)
------------------------------------------------------------------
Request:
SRC=50.0.0.1
DST=100.0.0.1:20001
------------------------------------------------------------------
                     Translation & Forwarding
                     SRC=50.0.0.1
                     DST=150.0.0.1:22
------------------------------------------------------------------
                                           Incoming Request
                                           SRC=50.0.0.1
                                           DST=150.0.0.1:22 -> Works

                                           Response
                                           SRC=150.0.0.1
                                           DST=50.0.0.1
                                               ^^ -> No direct
                                                     connection possible


In my optionen iptables has to do a complete Masquerading, so that
the path back to the client is also NATed.


My PC (50.0.0.1)     Server (100.0.0.1)   Destination (150.0.0.1)
------------------------------------------------------------------
Request:
SRC=50.0.0.1
DST=100.0.0.1:20001
------------------------------------------------------------------
                     Translation & Forwarding
                     SRC=100.0.0.1
                     DST=150.0.0.1:22
------------------------------------------------------------------
                                           Incoming Request
                                           SRC=100.0.0.1
                                           DST=150.0.0.1:22 -> Works

                                           Response
                                           SRC=150.0.0.1
                                           DST=100.0.0.1 -> Ok
------------------------------------------------------------------
                     Translation & Forwarding
                     SRC=100.0.0.1
                     DST=50.0.0.1
------------------------------------------------------------------
Client gets Response:
SRC=100.0.0.1
DST=50.0.0.1


The Problem is that i dont know how i can do SNAT and DNAT at the same 
time and I can't use static Entries for the back-path, becourse the 
IP-address of the client is dynamic.

Do you have any ideas?

Thanks & greetings,
	-Marc-



David Nicholls schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marc Mueller wrote:
>
> > Hi guys,
>
>
> <snip>
>
> > Is there any way to do that with iptables?
> > The only thing I have found is portforwarding on the local machine,
> > but I can not figure out how to forward connections to another machine.
>
>
> something like:
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d xx.xx.xx.xx --dport
> 60001 -j DNAT --to 192.168.xx.xx:22
> iptables -A FORWARD -p tcp -i eth0 -d 192.168.xx.xx --dport 22 -j ACCEPT
>
> should do it.
>
> HTH
>
> Dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFC1ODC62r58u1gKlkRAro4AKCJCMClFmv6SGHtbThy7Mi3zJQGUwCaAmrV
> iPt2xtgMY+E/a4uuW8uCvlo=
> =tOuO
> -----END PGP SIGNATURE-----