[ale] port forwarding for iptables.
Atlanta Geek
atlantageek at gmail.com
Tue Jun 9 14:55:11 EDT 2009
I did the tcpdumps. Traffic is coming in. However traffic is not going out.
I turned of my firewall and disabled the external interface to simplify things.
Im also redirecting traffic to the telnet port on that machine because
I am 100% sure that interface is active.
Here is my iptables now
---------
# Generated by iptables-save v1.3.5 on Wed Jun 10 02:40:52 2009
*filter
:INPUT ACCEPT [604:70323]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1190:209769]
-A FORWARD -d 10.0.1.213 -p tcp --dport 23 -j LOG --log-prefix "TCP FORWARD:"
-A FORWARD -d 10.0.1.213 -p tcp --dport 23 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jun 10 02:40:52 2009
# Generated by iptables-save v1.3.5 on Wed Jun 10 02:40:52 2009
*nat
:PREROUTING ACCEPT [11:2095]
:POSTROUTING ACCEPT [30:1800]
:OUTPUT ACCEPT [30:1800]
-A PREROUTING -d 10.0.0.39 -p tcp --dport 1013 -j LOG --log-prefix
"TCP PREROUTING:"
-A PREROUTING -d 10.0.0.39 -p tcp --dport 1013 -j DNAT
--to-destination 10.0.1.213:23
COMMIT
# Completed on Wed Jun 10 02:40:52 2009
---------------------
On Tue, Jun 9, 2009 at 2:38 PM, JK<jknapka at kneuro.net> wrote:
> [Following-up myself.]
>
> Hmm, actually I think we may be saying similar things in different
> words.
>
> Assuming the forward traffic IS in fact getting through router/forwarder
> machine R and on to destination host:port D:P (which can be verified with
> tcpdump as I mentioned earlier), then the problem is most likely to be that
> host D doesn't know how to get reply traffic back to the originating
> host O. DNAT does not change the SOURCE IP, so chances are D merely
> needs a route for O pointing to the router machine R.
>
> This SHOULD not require anything further on R to work, since presumably
> R is already accepting traffic forwarded between D and the outside
> world. Also the DNAT rule should automagically take care of all
> necessary address rewriting on connections that it concerns itself
> with, including replacing D's IP with R's in reply traffic.
>
> -- JK
>
> JK wrote:
>> Jim Kinney wrote:
>>> You need to ad the reverse forward to get the data back to the original system.
>>>
>>> sysA port A -> iptables -> sysB port B to send data
>>> sysB port B -> iptables -> sysA port A to receive data
>>
>>
>> No, the DNAT target should handle this automagically.
>>
>> What you DO need, though, is:
>>
>> * Your FORWARD chain on the router has to be accepting this traffic; and
>>
>> * You may also need a *route* on the target machine to get the traffic
>> back to the source, if the target machine doesn't know how to route traffic
>> to that host. Or you could SNAT the forwarded traffic so the target machine
>> thinks it's coming from the router doing the forwarding. I've used both of
>> those techniques, and I prefer to use standard routing rather than SNAT
>> when that's feasible.
>>
>> (I have an unreasonably complicated network at home, and have to deal
>> with this stuff all the time :-P )
>>
>> -- JK
>>
>>
>>> It is possible to do this with -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> I think it needs to be in the FORWARD/INPUT chain in filter table.
>>> (INPUT if the iptables machine is one of the sysA/sysB machines,
>>> FORWARD if just an intermediary machine).
>>>
>>> This will also need ip_conntrack (connection tracking) module
>>>
>>> On Tue, Jun 9, 2009 at 1:52 PM, Atlanta Geek<atlantageek at gmail.com> wrote:
>>>> The log fix was correct. Thanks Jim,
>>>> I now see my PREROUTING log showing up
>>>> But the forwarding does not appear to be working. any suggestions?
>>>>
>>>> On Tue, Jun 9, 2009 at 1:42 PM, JK<jknapka at kneuro.net> wrote:
>>>>> Jim Kinney wrote:
>>>>>> all of the -j LOG calls will never trigger because the packet has
>>>>>> already left the chain due to the line before it with the -j ACCEPT or
>>>>>> -j DNAT. Put the log before the jump call.
>>>>>>
>>>>>> -j REDIRECT is what you want to use. DNAT is for IP address. REDIRECT
>>>>>> is for port forwarding.
>>>>> If I am not mistaken, REDIRECT only allows you to forward to a port on
>>>>> the local machine. If you want to forward on to another machine, you
>>>>> need DNAT. "man iptables" backs me up on this, yay.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
http://www.atlantageek.com
More information about the Ale
mailing list