Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think I have covered the layout of my internal network. So my current sitution are this. My router does have a limited NAT capability, by that I mean I am able to configure the router to take an incoming connection on port 3389 (for instance) and redirect that connection to an internal machine (i.e: 192.168.2.2)
But I have no option in my router for taking and incoming connection on port 18605 and directing it to 192.168.2.5 on port 5901
So I have done some reading online and in the 'man iptables' on my CentOS system. My understand is that I should be able to tell the iptables to take an incoming connection on port 18605 and redirect it and all subsequent connections in the same stream to 192.168.2.5 on port 5901.
I have tried entering rules in the nat table of iptables, things like...
I hope I have provided enough information regarding my situation. I would like any help anyone could give me. I have a good understand of the linux O/S. And I would always rather learn than have it done for me. :-)
If any1 needs more information i will be happy to provide it in futher posts. Thanks in advance.
1. Ensure the router is configured to send packets destined for port 18605 to 192.168.2.20 (I assume this is the machine you've set up the iptables rules on).
and
2. The filter table rule should be in the FORWARD, not INPUT chain. Also, the destination port in that rule might need to be 5901, depending on whether iptables passes the packet through the nat or filter tables first. Don't quote me on this, but I think the PREROUTING chains (in all tables) are traversed first, such that when the packet arrives in the FORWARD chain in the filter table, its destination port will be 5901. I'm sure there's a pretty picture on the netfilter website that shows how the tables are traversed.
P.S. The LOG target is always useful in these situations.
I just realised there's another problem with this configuration. When the packet arrives at 192.168.2.5, its source address will be the internet address that the packet originated from. 192.168.2.5 will reply directly to this address. Fine, you may think. Wrong! The destination port has been changed on the way in from 18605 to 5901. The reply from 192.168.2.5 to the originator will be from source port 5901, but the originator expects its reply to come from port 18605. The source port number in the outgoing direction needs to be changed back for the reply to be valid. See RFC793. It'd take me some serious thinking to figure out how to do this, if it can be done at all. You need to change the source address of the incoming packet to make 192.168.2.5 send any replies back via the iptables NAT router. The router will need to keep track of the original address from which the connection originated. You might be able to do this with an SNAT or MASQUERADE rule in the POSTROUTING chain, if it can be done at all.
I see that exact problem you describe when I look at the logs gathered from wireshark.
I will have to go back to the drawing board on this one I guess. If anyone have any suggestions as to how i may accomplish what I am after would be great thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.