[ale] port forwarding for iptables.

Jim Kinney jim.kinney at gmail.com
Tue Jun 9 14:52:08 EDT 2009


Hmm. More thoughts. Is the receiving system open to receive traffic on
the DNAT port?

On Tue, Jun 9, 2009 at 2:38 PM, JK<jknapka at kneuro.net> wrote:
> [Following-up myself.]
>
> Hmm, actually I think we may be saying similar things in different
> words.
>
> Assuming the forward traffic IS in fact getting through router/forwarder
> machine R and on to destination host:port D:P (which can be verified with
> tcpdump as I mentioned earlier), then the problem is most likely to be that
> host D doesn't know how to get reply traffic back to the originating
> host O.  DNAT does not change the SOURCE IP, so chances are D merely
> needs a route for O pointing to the router machine R.
>
> This SHOULD not require anything further on R to work, since presumably
> R is already accepting traffic forwarded between D and the outside
> world. Also the DNAT rule should automagically take care of all
> necessary address rewriting on connections that it concerns itself
> with, including replacing D's IP with R's in reply traffic.
>
> -- JK
>
> JK wrote:
>> Jim Kinney wrote:
>>> You need to ad the reverse forward to get the data back to the original system.
>>>
>>> sysA port A -> iptables -> sysB port B to send data
>>> sysB port B -> iptables -> sysA port A to receive data
>>
>>
>> No, the DNAT target should handle this automagically.
>>
>> What you DO need, though, is:
>>
>> * Your FORWARD chain on the router has to be accepting this traffic; and
>>
>> * You may also need a *route* on the target machine to get the traffic
>> back to the source, if the target machine doesn't know how to route traffic
>> to that host.  Or you could SNAT the forwarded traffic so the target machine
>> thinks it's coming from the router doing the forwarding.  I've used both of
>> those techniques, and I prefer to use standard routing rather than SNAT
>> when that's feasible.
>>
>> (I have an unreasonably complicated network at home, and have to deal
>> with this stuff all the time :-P  )
>>
>> -- JK
>>
>>
>>> It is possible to do this with -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> I think it needs to be in the FORWARD/INPUT chain in filter table.
>>> (INPUT if the iptables machine is one of the sysA/sysB machines,
>>> FORWARD if just an intermediary machine).
>>>
>>> This will also need ip_conntrack (connection tracking) module
>>>
>>> On Tue, Jun 9, 2009 at 1:52 PM, Atlanta Geek<atlantageek at gmail.com> wrote:
>>>> The log fix was correct.  Thanks Jim,
>>>> I now see my PREROUTING log showing up
>>>> But the forwarding does not appear to be working.  any suggestions?
>>>>
>>>> On Tue, Jun 9, 2009 at 1:42 PM, JK<jknapka at kneuro.net> wrote:
>>>>> Jim Kinney wrote:
>>>>>> all of the -j LOG calls will never trigger because the packet has
>>>>>> already left the chain due to the line before it with the -j ACCEPT or
>>>>>> -j DNAT. Put the log before the jump call.
>>>>>>
>>>>>> -j REDIRECT is what you want to use. DNAT is for IP address. REDIRECT
>>>>>> is for port forwarding.
>>>>> If I am not mistaken, REDIRECT only allows you to forward to a port on
>>>>> the local machine.  If you want to forward on to another machine, you
>>>>> need DNAT.  "man iptables" backs me up on this, yay.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>



-- 
-- 
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness



More information about the Ale mailing list