RE: iptables and redirection traffic from one PC to another
Hello,
I've tried with this parameter - --to-destination but it's still not working. I have no two nics nor in PC nor in RPI. Is there a way then to change the source IP address during the forwarding process?
--
Best regards,
Aleksander Kurczyk
----------------------------------------
> Date: Fri, 14 Feb 2014 16:04:49 +0000
> From: joe@jretrading.com
> To: debian-user@lists.debian.org
> Subject: Re: iptables and redirection traffic from one PC to another
>
> On Fri, 14 Feb 2014 16:32:21 +0100
> Aleksander Kurczyk <akurczyk@outlook.com> wrote:
>
>> Hi,
>>
>> Now my firewall looks like this:
>>
>> sudo iptables -F
>> sudo iptables -P INPUT DROP
>> sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j
>> ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT
>> sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
>> sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT
>> sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>> sudo iptables -A INPUT -p tcp --dport 81 -j ACCEPT
>> sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT
>> --to 192.168.0.10:80
>
> I believe this '--to' should be '--to-destination', I have an old rule
> using the latter, but I haven't run any traffic through it for a few
> years, and iptables does evolve slowly, so things might be different
> now.
>>
>> I've found that if the FORWARD "-a" default policy is to accept
>> everything I don't have to use the second rule. I think that the
>> problem is that my Raspberry is not mine router so the PC is
>> responding directrly to the router which in turns don't know what to
>> do. Is there a way to make iptables make my PC responding to it and
>> then to the router - some IP level proxy etc.?
>>
>
> Your problem here is that the default gateway of your PC is the router,
> not the Pi. This is normally avoided by using a two-NIC computer as the
> firewall-router, when this machine become the network default gateway.
>
> You may be able to make the Pi the default gateway for the PC, and add
> enough forwarding rules to the Pi firewall to allow the PC the Internet
> access it needs. Alternatively, you could try routing rules in the PC
> firewall (assuming it is a Linux machine) which would return packets
> with a source port of 80 to the Pi instead of the default gateway.
>
> But try '--to-destination' first, as the Pi might currently not be
> re-writing the source address of packets sent to the PC, and this might
> make a difference. I can't say for sure as my rule worked, but that was
> via a two-NIC machine which was the network default gateway, so
> re-writing might not have been occurring.
>
> --
> Joe
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 20140214160449.7f0c64e6@jretrading.com">http://lists.debian.org/20140214160449.7f0c64e6@jretrading.com
>
Reply to: