Iptables and DNAT

_TeRmInEt_ · 11-24-2009, 11:24 AM

Server A: x.x.x.x and it is eth0:1
Server B: y.y.y.y

Code:

-A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport zzz -j DNAT --to-destination y.y.y.y:www
-A POSTROUTING -o eth0 -j MASQUERADE

Whit that rules I can connect to x.x.x.x:zzz and it reponse y.y.y.y:www

The problem is that x.x.x.x is exit with another ip (eth0)... I would like that x.x.x.x connect to y.y.y.y, is there a way?

Thank you

centosboy · 11-24-2009, 11:32 AM

Quote:

Originally Posted by _TeRmInEt_

Server A: x.x.x.x and it is eth0:1
Server B: y.y.y.y

Code:

-A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport zzz -j DNAT --to-destination y.y.y.y:www
-A POSTROUTING -o eth0 -j MASQUERADE

Whit that rules I can connect to x.x.x.x:zzz and it reponse y.y.y.y:www

The problem is that x.x.x.x is exit with another ip (eth0)... I would like that x.x.x.x connect to y.y.y.y, is there a way?

Thank you

yes.
assuming you have forwarding turned on -

turn it on in /etc/sysctl.conf (net.ipv4.ip_forward = 1) then run sysctl -p

something like

Code:

iptables  -I PREROUTING -t nat  -p tcp -d x.x.x.x/32 --dport zzz  -j DNAT --to x.x.x.x:www

would work

_TeRmInEt_ · 11-24-2009, 11:55 AM

Quote:

Originally Posted by centosboy

yes.
assuming you have forwarding turned on -

turn it on in /etc/sysctl.conf (net.ipv4.ip_forward = 1) then run sysctl -p

something like

Code:

iptables  -I PREROUTING -t nat  -p tcp -d x.x.x.x/32 --dport zzz  -j DNAT --to x.x.x.x:www

would work

Uhm...

Code:

peng:/home/terminet# sysctl -p
net.ipv4.ip_forward = 1

Tried but doesn't work, it still connecting using eth0 ip

Cybrax · 11-24-2009, 12:16 PM

Quote:

Originally Posted by _TeRmInEt_

Server A: x.x.x.x and it is eth0:1
Server B: y.y.y.y

Code:

-A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport zzz -j DNAT --to-destination y.y.y.y:www
-A POSTROUTING -o eth0 -j MASQUERADE

Whit that rules I can connect to x.x.x.x:zzz and it reponse y.y.y.y:www

The problem is that x.x.x.x is exit with another ip (eth0)... I would like that x.x.x.x connect to y.y.y.y, is there a way?

Thank you

this seems to work for my script

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 40568 -j DNAT --to-destination 192.168.0.10:40568

so it should be right what you are doing

i dont know what your scripts is like
but if you are making or also having a firewall
maybe thisline will help

Code:

iptables -A FORWARD -i eth0 -p tcp --dport 40568 -j ACCEPT

_TeRmInEt_ · 11-24-2009, 01:59 PM

Quote:

Originally Posted by Cybrax

this seems to work for my script

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 40568 -j DNAT --to-destination 192.168.0.10:40568

so it should be right what you are doing

i dont know what your scripts is like
but if you are making or also having a firewall
maybe thisline will help

Code:

iptables -A FORWARD -i eth0 -p tcp --dport 40568 -j ACCEPT

You're are right it works BUT no how I would like.

Under eth0, I've many public ips:

eth0 = x.x.x.x
eth0:1 = y.y.y.y
eth0:2 = z.z.z.z
eth0:3 = w.w.w.w

The point is that DNAT routing with x.x.x.x (look the logs), instead of y.y.y.y

This is the point.

Tnx

Cybrax · 11-24-2009, 02:31 PM

Quote:

Originally Posted by _TeRmInEt_

You're are right it works BUT no how I would like.

Under eth0, I've many public ips:

eth0 = x.x.x.x
eth0:1 = y.y.y.y
eth0:2 = z.z.z.z
eth0:3 = w.w.w.w

The point is that DNAT routing with x.x.x.x (look the logs), instead of y.y.y.y

This is the point.

Tnx

Ok i see what you mean maybe the source flag -s y.y.y.y
but i duobt that

thats a bit out of my leage yet

edit

or how about try this

instead of eth0 eth0:1

_TeRmInEt_ · 11-24-2009, 02:49 PM

Quote:

Originally Posted by Cybrax

Ok i see what you mean maybe the source flag -s y.y.y.y
but i duobt that

thats a bit out of my leage yet

edit

or how about try this

instead of eth0 eth0:1

With -s you filter the source (only source can connect to).

eth0:1 synatax isn't allowed by iptables

Cybrax · 11-24-2009, 03:00 PM

Quote:

Originally Posted by _TeRmInEt_

With -s you filter the source (only source can connect to).

eth0:1 synatax isn't allowed by iptables

lol trying to put in my 2 cents but i learn more from you then vice versa :P

thats all i can do hope you find a solution

_TeRmInEt_ · 11-24-2009, 04:10 PM

Np tnx

_TeRmInEt_ · 11-24-2009, 06:56 PM

The problem was the masquerate that takes the default gateway. It was enough to set a SNAT to resolve