LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-03-2009, 02:25 PM   #1
lumkichi
LQ Newbie
 
Registered: Feb 2004
Posts: 7

Rep: Reputation: 0
Question Fowarding using iptables - I can't figure it out anymore...


At one time I had this working, but the machine rebooted and lost the iptables setup. Now I can't get it to work. I've also tried reading a number of related articles and they're not *quite* my situation.

I have the following computers:

REMOTE SERVER: 172.1.2.20 (via VPN)

LOCAL PC: 10.10.25.20, 10.10.25.21 running Ubuntu

MY PC: 10.10.25.200

REMOTE PC: 10.20.3.20
====================================

The machines on the local network (10.10.25.0/8) can see the 172.1.2.20 machine over a VPN. But our remote co-workers at 10.20.3.20 cannot.

So I took the linux machine at 10.10.25.20 and added another NIC. I did some IP table mumbo jumbo once and I was able to redirect all traffic coming into the 2nd NIC card (eth1) to 172.1.2.20 via the 1st NIC card (eth0). The server rebooted after a power outage and now I can't replicate the setup. Here's what I've scribbled down previously.

# note eth0 IP = 10.10.25.20
# note eth1 IP = 10.10.25.21
export eth0IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | cut -dB -f1`
export eth1IP=`ifconfig eth1 | grep "inet addr" | cut -d: -f2 | cut -dB -f1`
iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 172.1.2.20
iptables -A FORWARD -p tcp -i eth0 -d 172.1.2.20 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ${eth1IP}
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to ${eth0IP}

What am I doing wrong? I wanted to be able to connect to 10.10.25.21 and have all traffic forwarded to 172.1.2.20 via 10.10.25.20.


Really, all I wanted to do was to do port-forwarding on port 1521 to 172.1.2.20:1521 - but that became too cumbersome and nothing I tried worked...

I've looked at these articles and tried to adapt them to my own to no avail:

http://www.debian-administration.org/articles/73
http://wiki.kartbuilding.net/index.php/Iptables_forward <-- this was the closest to my problem, but didn't work.
http://www.linuxquestions.org/questi...arding-574868/
http://www.linuxquestions.org/questi...fusing-551254/
http://www.linuxquestions.org/questi...-ports-184343/
https://www.linuxquestions.org/quest...ptables-66389/ <- this guy asked a similar question with no response.
===================

I've tried to setup a small webserver on my PC, and reroute traffic from one NIC to the other to my PC. In the past, my webserver responded, but the return path was not properly defined so the traffic never made it back. I had to add the two POSTROUTING lines above.

Today, I'm switching eth1 for eth0 in various combinations, but to no avail... Can somebody help me figure this out?

Thank you sooo much in advance.

Last edited by lumkichi; 02-03-2009 at 02:43 PM.
 
Old 02-03-2009, 04:14 PM   #2
naghi32
Member
 
Registered: Dec 2008
Distribution: Slackware
Posts: 39

Rep: Reputation: 17
Have you tried using tcpdump too see where the packets end ?
That`s a really handy tool if used properly ( tcpdump -n -i interface ) remember not to use in high traffic networks ( it`s ok but lots of packets r gonna show if u don`t use filters )
Well from what i can see besides that
are you sure the routing table is set up correctly ?
do you have only 1 server or more ?
When you set up the vpn you gotta tell that router where can he find the 172.1.2.20 host.
also when using iptables remember:
existing,established connections allowed
dnat packets for port 80 to internalwebserver
and proper snat for the above ( you don`t want to request connections on ip x.x.x.x:80 and get response from x.x.x.y:80 would you ? )
 
Old 02-03-2009, 04:45 PM   #3
lumkichi
LQ Newbie
 
Registered: Feb 2004
Posts: 7

Original Poster
Rep: Reputation: 0
Thumbs up

Well, I just answered my own question after fumbling around for hours more. Here is what I did to get what I asked for, now working:

iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp -d 10.10.25.21 --dport 1521 -j DNAT --to 172.1.2.20:1521
iptables -t nat -A POSTROUTING -d 172.1.2.20 -j MASQUERADE
echo 1 >/proc/sys/net/ipv4/ip_forward

The only difference between what I have and what this website ( http://wiki.kartbuilding.net/index.php/Iptables_forward ) mentions is the "echo 1 >/proc/sys/net/ipv4/ip_forward" statement at the end.

The beauty of this setup is now ONLY traffic on port 1521 coming into my eth1 (10.10.25.21) will be rerouted to the remote server at 172.1.2.20:1521. Before with the other setup (when it worked), I was sending ALL traffic to 172.1.2.20, regardless of port.

I don't know who to thank - but it did give me a chance to ask and get a reply on this forum.
 
Old 02-03-2009, 04:50 PM   #4
lumkichi
LQ Newbie
 
Registered: Feb 2004
Posts: 7

Original Poster
Rep: Reputation: 0
Talking

Quote:
Originally Posted by naghi32 View Post
Have you tried using tcpdump too see where the packets end ?
That`s a really handy tool if used properly ( tcpdump -n -i interface ) remember not to use in high traffic networks ( it`s ok but lots of packets r gonna show if u don`t use filters )
Well from what i can see besides that
are you sure the routing table is set up correctly ?
do you have only 1 server or more ?
When you set up the vpn you gotta tell that router where can he find the 172.1.2.20 host.
also when using iptables remember:
existing,established connections allowed
dnat packets for port 80 to internalwebserver
and proper snat for the above ( you don`t want to request connections on ip x.x.x.x:80 and get response from x.x.x.y:80 would you ? )
Thanks for your reply! I didn't see this before I posted my resolution.

My PC and the linux box can easily see the remote server -- we just simply connect to our network and that remote server is available. Our co-workers in a different location (hence different subnet) can see MY network and my PC's but can't see the remote server.

In any case, the little shindig I posted is working like a champ. In fact, I've got port 80 on the same NIC pointed to a webserver on my PC, port 23 to another Unix box. All other services, if they are open on the linux box, is handled by the local linux (such as SSH/SFTP) -- so I can log into the linux box at 10.10.25.21:ssh and administer it, but 10.10.25.21:1521 is going to the remote box!

Yaaaaayyyy!
 
Old 02-03-2009, 04:51 PM   #5
naghi32
Member
 
Registered: Dec 2008
Distribution: Slackware
Posts: 39

Rep: Reputation: 17
Wow
i never guessed that you haven`t activated packet forwarding in the kernel :|
echo 1 >/proc/sys/net/ipv4/ip_forward
Well at least you found out why it wasn`t working
Packet forwarding is when you want to send packets coming in from one interface thru another one ( ie ( bridging is an exception from this )
 
Old 02-03-2009, 05:33 PM   #6
lumkichi
LQ Newbie
 
Registered: Feb 2004
Posts: 7

Original Poster
Rep: Reputation: 0
One other benefit I discovered from this setup: I don't actually need the 2nd NIC card for this. I just removed it, and redid the IP address such that any traffic coming into 10.10.25.20:1521 is rerouted out the same NIC card to 172.1.2.20:1521.

How handy!

iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp -d 10.10.25.20 --dport 1521 -j DNAT --to 172.1.2.20:1521
iptables -t nat -A POSTROUTING -d 172.1.2.20 -j MASQUERADE
echo 1 >/proc/sys/net/ipv4/ip_forward
 
  


Reply

Tags
forwarding, iptables, port


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba not fowarding wins request so use iptables? keysorsoze Linux - Networking 2 08-15-2008 02:10 PM
iptables fowarding ComputerHermit_ Linux - Security 7 08-06-2007 01:32 PM
Iptables Cannot Save Anymore Peter_APIIT Linux - Security 1 07-14-2007 07:16 AM
Can't figure out how to set up NAT/iptables is confusing rcx11 Linux - Networking 5 05-05-2007 06:37 PM
Fowarding Ports BugBear Linux - Networking 2 05-22-2004 02:18 AM


All times are GMT -5. The time now is 04:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration