Iptables forwarding from gateway back to the inside network
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iptables forwarding from gateway back to the inside network
We have a bunch of machines on a private subnet and we can port forward to them really easily however they can not access the port forwards by going to the gateway ip.
So for example:
from the outside world if I go to the IP of eth0 and port 3341 it works just fine. But if I go from the inside lan to port 3341 on the eth0 IP it all fails.
How can I allow the gateway to forward ports back into the LAN when those ports are requested from the LAN?
Think about packets which are sent back as a reply.
The host A (local network) is sending packet to host B (IP:3341) and it expects the reply will have src = IP.
But you have a rule
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3341 -j DNAT --to-destination ${PRIVATE_SUBNET}.3
which makes that returned packet will have scr = ${PRIVATE_SUBNET}.3 since this is the ip of the replying host.
As a result the reply which is received by A has "incorrect" src = ${PRIVATE_SUBNET}.3 against expected IP.
Think about packets which are sent back as a reply.
The host A (local network) is sending packet to host B (IP:3341) and it expects the reply will have src = IP.
But you have a rule
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3341 -j DNAT --to-destination ${PRIVATE_SUBNET}.3
which makes that returned packet will have scr = ${PRIVATE_SUBNET}.3 since this is the ip of the replying host.
As a result the reply which is received by A has "incorrect" src = ${PRIVATE_SUBNET}.3 against expected IP.
So how can I make it so PublicIP:3341 goes to ${PRIVATE_SUBNET}.3 from the outside world and from the LAN?
I know my IPCop does that just fine but I can't figure out how its doing it.
The whole trick is to force both the query and reply are sent via router.
Sending the query from LAN host (A) the packet is sent to the router (since its dst address is public) and next is routed to the LAN host S (server) with ip ${PRIVATE_SUBNET}.3.
When the host S receives the query packet it see the packet as sent directly from A (the src address in the query packet belongs LAN subnet). So the reply is sent to the A directly arther than to the router.
Therefore you have to make the host S to sent the reply to the router by changing the src address in the query packet received by S.
Looks like this (or similar) will help:
iptables -t nat -A POSTROUTING -i eth1 -p tcp -d ${PUBLIC_IP} -dport 3341 -j SNAT --to-source ${PUBLIC_IP}
(eth1 is LAN interface)
This way host S will send the reply to host B (router) rather than directly to host A.
The router will made de-SNAT and de-DNAT next and sends the packet to the host A.
I hope I didn't made mistake above...
And remember you need to allow forward of the packets from S to A also.
Thanks for the reply. I think I understand the problem. I am still trying to get the iptables commands correctly. I'll post back once I get it working.
Thanks for the reply. I think I understand the problem. I am still trying to get the iptables commands correctly. I'll post back once I get it working.
Ok I have fixed it but I don't like my fix. My problem was that I do my prerouting with the interface and not the destination ip. So I use -i eth0 instead of -d ${PUBLICIP}
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.