[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port forwarding



* Paul Johnson (baloo@ursine.dyndns.org) [020603 08:34]:
> iptables just confuses me at times.
> 
> I'm trying to figure out how to forward all packets hitting this machine
> on one port to a port on another machine inside my network.  I'm kinda
> stumped.

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $PORT \
	-j DNAT --to-destination $OTHER_IP

Should do it. The reason I give $EXT_IF up there is I'm assuming that
the machine doing the DNAT is a gateway of some sort.

If you're trying to get it working for machines within your network, it
won't work:

Machine A - just some machine on your network
Machine D - the machine doing the DNAT
Machine B - the $OTHER_IP listed above

When A tries to connect to D on $PORT, the packets are re-sent to B. B
sees a connection from A, and tries to respond to A, but A says "wtf?
I'm not trying to talk to B!" and sends an RST, meanwhile waiting,
retransmitting, and timing-out trying to connect to D. I works when D is
a gateway between the machines because the return packets from B to A go
through D where they are un-natted so that A sees them as part of the
original connection.

Perhaps you already know all this, but your exact setup was unclear in
your original post. We can probably tell you exactly what's not working
and how to make it better if you give us:

a little bit of the network topology you're trying to use. (i.e. "D is a
gateway on the Internet, B is a machine in my private 192.168 LAN, and I
want to DNAT requests coming from other Internet hosts", or something
equally brief, but accurate to your setup)

What commands you have tried and what results and/or log entries (if
any) you have gotten.

A bit of info about the rest of your firewall setup. Are you filtering
as well? If D is a gateway as above, is all of the necessary traffic
being allowed through FORWARD ?

good times,
Vineet
-- 
Currently seeking opportunities in the SF Bay Area
Please see http://www.doorstop.net/resume.shtml

Attachment: pgpY5iFSJHZ3P.pgp
Description: PGP signature


Reply to: