Network A - Firewall - WebServer (Network B)
I have theses rules:
Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 86 -j DNAT --to 192.168.1.56:80
iptables -A FORWARD -s 192.168.1.56 -o eth1 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.56 -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.56 -o eth1 -j MASQUERADE
At the bottom of the script, there are rules logging INPUT, OUTPUT and FORWARD, before dropping the packets, and I'm seeing like if I needed to open the port 86 on the firewall itself.
Code:
Sep 25 11:44:01 firewall kernel: INPUT-Drop: IN=eth1 OUT= MAC=... SRC=10.140.1.5 DST=10.140.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=45454 DF PROTO=TCP SPT=60490 DPT=86 WINDOW=453 RES=0x00 ACK FIN URGP=0
But there are no service listening on port 86. That port is just used to access the web server which is in a VM.
As I cannot test this, because it's a production environment and I need make sure most is going to work before enabling the new configuration, what do you think about that dropped traffic? Is it relevant? I have never seen a packet intended for NAT end up on INPUT.