Re: Simple IP-Forwarding problem
Hi Dave,
thank you for your quick response.
I have tried your suggestion, but the connection still does not work.
I think the Problem is the path from the destination-server back to the
client.
I'm no expert, so correct me if I'm wrong but as far as I know DNAT
rewrites only the destination Adress, but the source adress stays the
same - and at the time where the destination-server tries to send a
response to the source-adress (still my pc) the connection can not be
established, due to firewall restrictions.
My PC (50.0.0.1) Server (100.0.0.1) Destination (150.0.0.1)
------------------------------------------------------------------
Request:
SRC=50.0.0.1
DST=100.0.0.1:20001
------------------------------------------------------------------
Translation & Forwarding
SRC=50.0.0.1
DST=150.0.0.1:22
------------------------------------------------------------------
Incoming Request
SRC=50.0.0.1
DST=150.0.0.1:22 -> Works
Response
SRC=150.0.0.1
DST=50.0.0.1
^^ -> No direct
connection possible
In my optionen iptables has to do a complete Masquerading, so that
the path back to the client is also NATed.
My PC (50.0.0.1) Server (100.0.0.1) Destination (150.0.0.1)
------------------------------------------------------------------
Request:
SRC=50.0.0.1
DST=100.0.0.1:20001
------------------------------------------------------------------
Translation & Forwarding
SRC=100.0.0.1
DST=150.0.0.1:22
------------------------------------------------------------------
Incoming Request
SRC=100.0.0.1
DST=150.0.0.1:22 -> Works
Response
SRC=150.0.0.1
DST=100.0.0.1 -> Ok
------------------------------------------------------------------
Translation & Forwarding
SRC=100.0.0.1
DST=50.0.0.1
------------------------------------------------------------------
Client gets Response:
SRC=100.0.0.1
DST=50.0.0.1
The Problem is that i dont know how i can do SNAT and DNAT at the same
time and I can't use static Entries for the back-path, becourse the
IP-address of the client is dynamic.
Do you have any ideas?
Thanks & greetings,
-Marc-
David Nicholls schrieb:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc Mueller wrote:
Hi guys,
<snip>
Is there any way to do that with iptables?
The only thing I have found is portforwarding on the local machine,
but I can not figure out how to forward connections to another machine.
something like:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xx.xx.xx.xx --dport
60001 -j DNAT --to 192.168.xx.xx:22
iptables -A FORWARD -p tcp -i eth0 -d 192.168.xx.xx --dport 22 -j ACCEPT
should do it.
HTH
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC1ODC62r58u1gKlkRAro4AKCJCMClFmv6SGHtbThy7Mi3zJQGUwCaAmrV
iPt2xtgMY+E/a4uuW8uCvlo=
=tOuO
-----END PGP SIGNATURE-----
Reply to: