Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 12-16-2012, 04:47 PM   #1
LQ Newbie
Registered: Jan 2007
Posts: 7

Rep: Reputation: 0
Question n00b iptables NAT help

I'm an iptables n00b and have a scenario I need some help with. I'll try my best to explain clearly.

I have 2 boxes.

* eth0(public IP)
* /26 (public), I'll refer to these as Box1Public1, Box1Public2, Box1Public3 etc. Different network to eth0

* eth0(public IP) - different network to Box1
* /24 (private), I'll refer to them as Box2Private1, Box2Private2, Box2Private3 etc.

I'm trying to setup rules to NAT a few of the Box1 Public Addresses to Box2's private addresses.


RandomBox SSH => Box1Public1 => (nat on Box1) => Box2 => (nat on Box2) => Box2Private1

So far I have managed to get the first NAT to work....Ie I am reaching Box2, but how do I get to the private IP of Box2?
I used the following on Box1:
iptables -t nat -A PREROUTING -p tcp -d <Box1Public1> -j DNAT --to-destination <Box2Eth0>
iptables -t nat -A POSTROUTING -j MASQUERADE

So now I am getting the packets onto Box2, I need to identify them as having gone through Box1Public1 in order to NAT again to the correct Private IP.

Am I using the right approach by using DNAT. I'm guessing I can't modify the source address as then the packets would never get back to the originating address.

Any pointers?

Thanks for reading.
Old 12-21-2012, 06:11 AM   #2
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
NAT can be a bitch to get right

"I'm guessing I can't modify the source address as then the packets would never get back to the originating address."
You should NAT the source too, as the connection needs to go back through Box1. Otherwise RandomBox will get a reply to an SSH request from an unexpected IP and will drop it.

What I did in a similar situation was make a vpn between the two servers and save myself some natting



dnat, ip, iptables, public, tcp

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
n00b iptables question. AsherSevyn Linux - Security 5 12-02-2012 03:21 AM
iptables: can't initialize iptables table `NAT' linuxgentoo Linux - Kernel 3 01-17-2010 10:15 AM
IPTABLES and NAT metallica1973 Linux - Security 7 09-07-2007 09:08 PM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
iptables n00b Jestrik Linux - Software 3 12-12-2003 09:58 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:24 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration