|
Fowarding using iptables - I can't figure it out anymore...
At one time I had this working, but the machine rebooted and lost the iptables setup. Now I can't get it to work. I've also tried reading a number of related articles and they're not *quite* my situation.
I have the following computers: REMOTE SERVER: 172.1.2.20 (via VPN) LOCAL PC: 10.10.25.20, 10.10.25.21 running Ubuntu MY PC: 10.10.25.200 REMOTE PC: 10.20.3.20 ==================================== The machines on the local network (10.10.25.0/8) can see the 172.1.2.20 machine over a VPN. But our remote co-workers at 10.20.3.20 cannot. So I took the linux machine at 10.10.25.20 and added another NIC. I did some IP table mumbo jumbo once and I was able to redirect all traffic coming into the 2nd NIC card (eth1) to 172.1.2.20 via the 1st NIC card (eth0). The server rebooted after a power outage and now I can't replicate the setup. Here's what I've scribbled down previously. # note eth0 IP = 10.10.25.20 # note eth1 IP = 10.10.25.21 export eth0IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | cut -dB -f1` export eth1IP=`ifconfig eth1 | grep "inet addr" | cut -d: -f2 | cut -dB -f1` iptables -F iptables -t nat -F iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 172.1.2.20 iptables -A FORWARD -p tcp -i eth0 -d 172.1.2.20 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ${eth1IP} iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to ${eth0IP} What am I doing wrong? I wanted to be able to connect to 10.10.25.21 and have all traffic forwarded to 172.1.2.20 via 10.10.25.20. Really, all I wanted to do was to do port-forwarding on port 1521 to 172.1.2.20:1521 - but that became too cumbersome and nothing I tried worked... I've looked at these articles and tried to adapt them to my own to no avail: http://www.debian-administration.org/articles/73 http://wiki.kartbuilding.net/index.php/Iptables_forward <-- this was the closest to my problem, but didn't work. http://www.linuxquestions.org/questi...arding-574868/ http://www.linuxquestions.org/questi...fusing-551254/ http://www.linuxquestions.org/questi...-ports-184343/ https://www.linuxquestions.org/quest...ptables-66389/ <- this guy asked a similar question with no response. =================== I've tried to setup a small webserver on my PC, and reroute traffic from one NIC to the other to my PC. In the past, my webserver responded, but the return path was not properly defined so the traffic never made it back. I had to add the two POSTROUTING lines above. Today, I'm switching eth1 for eth0 in various combinations, but to no avail... Can somebody help me figure this out? Thank you sooo much in advance. |
Have you tried using tcpdump too see where the packets end ?
That`s a really handy tool if used properly ( tcpdump -n -i interface ) remember not to use in high traffic networks ( it`s ok but lots of packets r gonna show if u don`t use filters ) Well from what i can see besides that are you sure the routing table is set up correctly ? do you have only 1 server or more ? When you set up the vpn you gotta tell that router where can he find the 172.1.2.20 host. also when using iptables remember: existing,established connections allowed dnat packets for port 80 to internalwebserver and proper snat for the above ( you don`t want to request connections on ip x.x.x.x:80 and get response from x.x.x.y:80 would you ? ) |
Well, I just answered my own question after fumbling around for hours more. Here is what I did to get what I asked for, now working:
iptables -F iptables -t nat -F iptables -t nat -A PREROUTING -p tcp -d 10.10.25.21 --dport 1521 -j DNAT --to 172.1.2.20:1521 iptables -t nat -A POSTROUTING -d 172.1.2.20 -j MASQUERADE echo 1 >/proc/sys/net/ipv4/ip_forward The only difference between what I have and what this website ( http://wiki.kartbuilding.net/index.php/Iptables_forward ) mentions is the "echo 1 >/proc/sys/net/ipv4/ip_forward" statement at the end. The beauty of this setup is now ONLY traffic on port 1521 coming into my eth1 (10.10.25.21) will be rerouted to the remote server at 172.1.2.20:1521. Before with the other setup (when it worked), I was sending ALL traffic to 172.1.2.20, regardless of port. I don't know who to thank - but it did give me a chance to ask and get a reply on this forum. |
Quote:
My PC and the linux box can easily see the remote server -- we just simply connect to our network and that remote server is available. Our co-workers in a different location (hence different subnet) can see MY network and my PC's but can't see the remote server. In any case, the little shindig I posted is working like a champ. In fact, I've got port 80 on the same NIC pointed to a webserver on my PC, port 23 to another Unix box. All other services, if they are open on the linux box, is handled by the local linux (such as SSH/SFTP) -- so I can log into the linux box at 10.10.25.21:ssh and administer it, but 10.10.25.21:1521 is going to the remote box! Yaaaaayyyy! |
Wow
i never guessed that you haven`t activated packet forwarding in the kernel :| echo 1 >/proc/sys/net/ipv4/ip_forward Well at least you found out why it wasn`t working :) Packet forwarding is when you want to send packets coming in from one interface thru another one ( ie ( bridging is an exception from this ) |
One other benefit I discovered from this setup: I don't actually need the 2nd NIC card for this. I just removed it, and redid the IP address such that any traffic coming into 10.10.25.20:1521 is rerouted out the same NIC card to 172.1.2.20:1521.
How handy! iptables -F iptables -t nat -F iptables -t nat -A PREROUTING -p tcp -d 10.10.25.20 --dport 1521 -j DNAT --to 172.1.2.20:1521 iptables -t nat -A POSTROUTING -d 172.1.2.20 -j MASQUERADE echo 1 >/proc/sys/net/ipv4/ip_forward |
| All times are GMT -5. The time now is 03:27 AM. |