Help with port translation using iptables
New to iptables and not getting expected results, here's the problem:
I'm trying to build a proxy for SNMPv3 communication between a border router and an internal cacti box. I've got a CentOS 5 server set up in a DMZ network segment adjacent to the border router and firewall rules set up to allow traffic on specified ports from the internal cacti server to the proxy server. Ideally I would like to monitor several other switches in this DMZ network also so the thinking is that we would set up SNMP queries in cacti on certain ports for certain devices and make DNAT rules in iptables.
Examples:
Border router = 192.168.1.2
DMZ Switch 1 = 192.168.1.3
DMZ Switch 2 = 192.168.1.4
Proxy Server = 192.168.1.5
Cacti Server = 10.0.1.2
Cacti SNMP query for border router would target 192.168.1.5 on port 50102, and the proxy would contain a NAT rule to forward the traffic to 192.168.1.2 on port 161.
#iptables -t nat -A PREROUTING -p udp --dport 50102 -j DNAT --to-destination 192.168.1.2:161
For the DMZ switch 1, the query would target port 50103 and the iptables rule would look like this:
#iptables -t nat -A PREROUTING -p udp --dport 50103 -j DNAT --to-destination 192.168.1.3:161
So first of all, the targets are not getting the queries. I can see the requests hitting the proxy with tcpdump, but they are not leaving. I tried isolating the port translation issue by issuing the queries on port 161 and simply forwarding SNMP to one of the targets in the DMZ with no luck still...
That's the biggest problem. I've got further questions about how to handle responses once I start actually seeing them, like do I need to make a reverse rule for the responses since this is a UDP protocol?
Last edited by Allesmachine; 08-10-2010 at 01:27 PM.
Reason: spelling error
|