iptables - Reply Forwarding Error / Destination unreachable (Host unreachable)

keflex87 · 05-04-2015, 02:32 AM

Hallo,

i would like to route a VNC Connection from a PC(VNC-Client) over a Raspberry-PI(with 2 Network Interfaces) to a SPS(VNC-Server)

VNC Port: >= TCP 5900

PC/VNC-Client(192.168.56.48) VNC Client <--> RaspberryPI(eth1:192.168.70.197) <--> (eth0:10.0.0.2) <--> SPS/VNC-Server(10.0.0.1).

For my first test i use icmp(ping) instead of VNC. My routing commands:

LOCAL_IFACE=eth0
INET_IFACE=eth1
INET_ADDRESS=192.168.70.197
LOCAL_ADDRESS=10.0.0.2

#PC-->SPS
iptables -t nat -A POSTROUTING -o $LOCAL_IFACE -j MASQUERADE
iptables -A FORWARD -i $INET_IFACE -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p icmp -i $INET_IFACE -j DNAT --to-destination 10.0.0.1

#PC<--SPS
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT
iptables -t nat -A PREROUTING -p icmp -i $LOCAL_IFACE -o $INET_IFACE -j DNAT --to-destination 192.168.56.48

Wireshark (Raspberry PI eth0 & eth1 filter icmp):

No. Time Source Destination Protocol Length Info
21 4.538921000 192.168.56.48 192.168.70.197 ICMP 74 Echo (ping) request id=0x0001, seq=21/5376, ttl=127

No. Time Source Destination Protocol Length Info
25 4.540118000 10.0.0.2 10.0.0.1 ICMP 74 Echo (ping) request id=0x0001, seq=21/5376, ttl=126

No. Time Source Destination Protocol Length Info
26 4.540710000 10.0.0.1 10.0.0.2 ICMP 74 Echo (ping) reply id=0x0001, seq=21/5376, ttl=64

No. Time Source Destination Protocol Length Info
32 7.533461000 10.0.0.2 10.0.0.1 ICMP 102 Destination unreachable (Host unreachable) <--------------------------???????????

No. Time Source Destination Protocol Length Info
69 9.489564000 192.168.56.48 192.168.70.197 ICMP 74 Echo (ping) request id=0x0001, seq=22/5632, ttl=127

No. Time Source Destination Protocol Length Info
71 9.489905000 10.0.0.2 10.0.0.1 ICMP 74 Echo (ping) request id=0x0001, seq=22/5632, ttl=126

No. Time Source Destination Protocol Length Info
72 9.490534000 10.0.0.1 10.0.0.2 ICMP 74 Echo (ping) reply id=0x0001, seq=22/5632, ttl=64

No. Time Source Destination Protocol Length Info
86 12.483500000 10.0.0.2 10.0.0.1 ICMP 102 Destination unreachable (Host unreachable) <-----------------------------???????????

My Questions:
Why is the reply not routed to the PC? Where is the error?
How can I route the VNC-connection if the PC has a dynamic IP?

Thanks for your support
Andre

eantoranz · 05-12-2015, 12:03 AM

Ok.... let's try.

On the rp, run these commands and give us the output:

Code:

ip link show
ip addr show
ip route show
iptables -L -nv
iptables -t nat -L -nv
sysctl net.ipv4.ip_forward

On the client, run these commands both before and after connecting to the VPN:

Code:

ip link show
ip addr show
ip route show

Let's see what we can make out of that.