[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: desperate! can't get port forwarding to work on debian testing 2.6.15



Mike Garey a écrit :
On 4/13/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:

now, both dev and asterisk machines have their internal NIC connected
to the same switch.

I guess you mean "the same pair of switches" ?

well, they're physically attached to the same switch..

My mistake, I didn't read "internal", so I thought "internal and external".

IMHO, the problem is that the default route sets the default gateway
216.125.25.33 instead of the NAT box internal address.
[...]
yes, you're right, as soon as I removed the default gw of
216.125.24.33 and added 192.168.1.121 in its place, it started working
(although, I did do this before sending my last message, and it didn't
work - perhaps I should've waited longer, maybe the arp tables needed
to be udpated and I didn't give them a chance?).

No, the ARP cache is involved only in IP address-MAC address associations and you didn't change any of them. Maybe the routing cache.

If I'm right, you need to make sure that the reply packet from the
server goes back to the NAT box so its source address is un-NATed
properly. One way to do this is to masquerade the source address in the
NAT box unsing SNAT or MASQUERADE. But you lose the real source address
information on the server :

iptables -t nat -A POSTROUTING -o $INTIF -d $PORTFWIP \
  -p tcp --dport 8090 -j SNAT --to $INTIP

so the above command isn't really useful, since the real source
address is stripped, so the NAT box has no idea where to send the
packet back to, correct?

Don't worry, the NAT system keeps track of original and translated addresses and ports. Otherwise the commonly used SNAT and MASQUERADE from a LAN to the internet would be useless. It works, and it is the only way to do port forwarding from a client on the same LAN.

for now, I'll just set the default gw to the NAT box, this works fine.
 But out of curiosity, how would you go about implementing this type
of routing on the BSD box (in a high level of course, since you're not
familiar with BSD..).

The problem is I don't know what kind of advanced routing is available on your BSD box (and I suppose that every *BSD flavor has its own capabilities). On a Linux system, I would use a source-based routing policy : when an outgoing packet has $PORTFWIP source address, it is routed using an alternate routing table which has the NAT box as the default gateway instead of the other gateway.



Reply to: