Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-09-2008, 02:04 PM   #1
LQ Newbie
Registered: Sep 2006
Posts: 6

Rep: Reputation: 0
iptables rules to NAT or FORWARD packets between LAN clients

hi all,
trouble solving the following problem:

     A (router)
     |        |   
A=router WAN x.x.x.x LAN
B=debian server
C=Win 2003 machine

shortly: A has NAT enabled, default server is B, so every incoming connection reaches B.
for a reason which would be long to explain, I need to transfer incoming connection to B at port 3389 (rdp) to C at port 60001.

iptables -A PREROUTING -t nat -p tcp -d --dport 3389 -j DNAT --to-destination

packets reaches C but I suppose I need to have them routed on the way back. How do I do that? SNAT or MASQUERADING? with a couple of SNAT rules it roughly works, but I'm sure I'm missing something.



Last edited by acid_kewpie; 11-09-2008 at 02:21 PM.
Old 11-11-2008, 12:01 PM   #2
LQ Newbie
Registered: May 2007
Posts: 25

Rep: Reputation: 15
If my understanding is correct, you have two NIC cards in B with one connected to A and one connected to C? If so you need to have IP forwarding enabled on B and add rules to the FORWARD chain on B so that packets that are destined for C with route through B.
Old 11-11-2008, 03:29 PM   #3
LQ Newbie
Registered: Mar 2004
Location: Pennsylvania
Distribution: CentOS
Posts: 28

Rep: Reputation: 15
check your default gateway on Machine C. I've screwed that part up before on a Win2k3 Terminal Server.
Old 11-16-2008, 01:21 AM   #4
LQ Newbie
Registered: Sep 2006
Posts: 6

Original Poster
Rep: Reputation: 0
clarifying, B has only 1 NIC and is in LAN with A and C.
with FORWARD I think I would have problem with the way back of the packet, moreover I cannot change the port when forwarding. I could first REDIRECT then FORWARD to C_IP with new port, but still something on the way back is missing.
my solution has been:

iptables -A PREROUTING -t nat -p tcp -d B_IP --dport 3389 -j DNAT --to-destination C_IP:60001
iptables -A POSTROUTING -t nat -p tcp -d C_IP --dport 60001 -j SNAT --to-source B_IP:3389

fore some reason it starts working slowly, than the connection hangs and timeout.
Instead if on the second rule I just enter --to-source B_IP (without specifiing any port) looks working good.
Any idea why? Might be beacuse the outgoing port B is using is not the 3389 but any 25xxx or similar higher port, so expecting the packet on the way back on the same port?

finally is this nat solution the correct one or some forwarding rule should be better?

Old 11-27-2010, 09:26 PM   #5
LQ Newbie
Registered: Sep 2009
Posts: 14

Rep: Reputation: 0
Hi, sorry to revive an old thread, but can anyone explain if/why this works? I have exactly the same scenario and can't find a solution anywhere.
Old 11-28-2010, 09:00 AM   #6
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
What kind of a router is "A"?
  1. appliance,
  2. dedicated distro (SmoothWall, IPCop, etc.),
  3. home grown,
  4. other?

Is this a clearer picture of the LAN?
 (       )    |    A     |
(  'Net   )===|  router  |
 (       )    +----------+
                |      |
              +---+  +---+ 
              | B |  | C | 
              +---+  +---+


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables forward rules yawe_frek Linux - Security 1 04-16-2007 03:21 AM
iptables: forcing packets for FORWARD dombrowsky Linux - Networking 6 10-15-2006 11:09 AM
how to nat playstation2 packets ( iptables ) nanoprobe Linux - Networking 1 01-23-2005 12:40 PM
iptables forward rules -x-Ed-x- Linux - Security 3 09-24-2002 02:51 AM
iptables -t nat -L not showing all rules alpha-wolf Linux - Networking 0 08-14-2001 06:36 AM

All times are GMT -5. The time now is 05:34 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration