I have read a lot of tutorials and examples for setting up port forwarding. Most of them describe a setup with computers connected to a router that is connected to the internet. My setup is much simpler. I have a Windows PC, a linux machine, and an embedded device. I am trying to use the linux machine as a router between the Windows PC and the embedded device:

PC <---> eth0 Linux eth1 <---> Embedded System

Here are the IP addresses:

PC: 192.168.220.1
eth0: 192.168.220.2
eth1: 192.168.240.1
ES: 192.168.240.10 (hardcoded)

I setup eth0 and eth1 to be on different networks because they are physically located on the same linux machine. And I've set:

echo 1 > /proc/sys/net/ipv4/ip_forward

I've located the /etc/sysconfig/iptables config file, and I've tried setting up port forwarding according to the many different tutorials I've found online. None of them seem to work! I need at least FTP and SNMP to work, and it would be nice if I could ping the embedded system as well. I know there are much easier ways to setup communication between the PC and the embedded system than using port forwarding. Why I'm doing it this way would take awhile to explain! Simply using gateway addresses will cause network conflicts for the bigger design.

If someone could help me setup my iptables config file, I think that should be enough for me to get started. I've been at this for about a week, and I still don't really understand the iptables options.

Thanks

How looks routes on PC? Did you add route to 192.168.240.10 to PC? It must known that it will go through 192.168.220.2 gateway and proper interface.

How do I add routes to the PC? I am trying to use Linux machine as the router, and I don't want to configure anything on the PC.

Using this as a guide:

http://www.linuxhomenetworking.com/w...Using_iptables

I'm attempting to use NAT to make the Embedded System server 192.168.240.10 on the 192.168.240.xxx network appear as IP address 192.168.220.100 on the 192.168.220.xxx network. All communication to the embedded system 192.168.240.10 will be done using this new IP address 192.168.220.100.

iptables -t nat -A PREROUTING -d 192.168.220.100 -i eth0 -j DNAT --to-destination 192.168.240.10
iptables -t nat -A POSTROUTING -s 192.168.240.10 -o eth0 -j SNAT --to-source 192.168.220.100

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.240.10 --dports 7:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


I'm not at work so I'll have to try this tomorrow... does this look like I'm getting closer?

As I said before, by first, PC must to known where it should send packets, so it must be configured.

Please post output of "route -n" on that PC. If you want all communication from PC go through Debian router its default route must be configured as I suppose its eth0 interface is connected to Debian router eth0. Please clarify if this PC has more intefaces or should not transfer whole communication by Debian router.

'route -n' does not seem to work... but I think that 'route print' is the output that you were looking for? the interface that I have connected to linux 'eth0' is 'Ethernet adapter Local Area Connection 2'

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Louis>
C:\Documents and Settings\Louis>ipconfig

Windows IP Configuration


Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : guest
IP Address. . . . . . . . . . . . : 192.168.1.146
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.220.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

C:\Documents and Settings\Louis>
C:\Documents and Settings\Louis>
C:\Documents and Settings\Louis>
C:\Documents and Settings\Louis>
C:\Documents and Settings\Louis>route PRINT
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x4 ...00 24 d6 94 bf a0 ...... Intel(R) WiFi Link 5100 AGN - Packet Scheduler Miniport
0x5 ...00 26 b9 c5 5d 39 ...... Intel(R) 82567LM Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.146 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.146 192.168.1.146 25
192.168.1.146 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.146 192.168.1.146 25
192.168.220.0 255.255.255.0 192.168.220.1 192.168.220.1 20
192.168.220.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.220.255 255.255.255.255 192.168.220.1 192.168.220.1 20
224.0.0.0 240.0.0.0 192.168.1.146 192.168.1.146 25
224.0.0.0 240.0.0.0 192.168.220.1 192.168.220.1 20
255.255.255.255 255.255.255.255 192.168.1.146 192.168.1.146 1
255.255.255.255 255.255.255.255 192.168.220.1 192.168.220.1 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

C:\Documents and Settings\Louis>

So, as you see, when PC want to send packets to 192.168.220.100 it sends it to 192.168.220.1 (self) but should to 192.168.220.2 (your Debian router). It doesn't even known of existing your router in the network.

Sorry, but I don't known how to configure routes on Windows. Search Internet for this or maybe other guys from LQ can help you. Also it has other interfaces, so you probably do not want transfer all communication by your Debian router, but only for host 192.168.220.100. You can also start a DHCP service on the router (for example dnsmasq), so Windows using it automaticaly configure own routes.

P.S. Please use a CODE tags around your copy/paste text, as without it, it is difficult to read.

Why not just turn on routing on the Linux computer and directly access the IP of the embeeded device from the windows computer using linux as the router?

On the linux box set:
"FORWARD_IPV4=true" in /etc/sysconfig/network

on the windows box:
route add 192.168.240.0 mask 255.255.255.0 192.168.220.2 metric 2

Use the above for testing if it works add -p to make it persistent on windows.

All that port forwarding just seems messy.

It should beHe want to see this embedded system as 192.168.220.100 from Windows side.

My suggestion was to avoid the port forwarding because of (IMHO) additional complexity that is not needed.

This worked out for me! Now I need to figure out how to do this dynamically. The IP address on my Linux eth0 is going to be set with a DHCP server...

Sorry about not using the CODE tags, thanks for the tip! -N00B!

Sorry there was a typo in my solution! in the last line i have '--to-souce' and that should be '--to-source'

Hello Lmorda.

The reason that your SNAT rule is requiered is because the "embeded device" does not know where to send return traffic that originated on the 192.168.220.0/24 network. If you set the default gateway on the embeded device to 192.168.240.1 then will be able to drop that rule from IP tables.

Once you have set the default gateway, this script should work, even if your IP address on the eth0 network changes.

With that said, I would suggest that you isolate exaclty which traffic you need to deliver to the embeded device and create specific rules for it. Otherwise you will not be able to access the Linux box from the external network.

Unfortunately I can't access the network configuration on the embedded device. The IP address and the subnet mask and the default gateway are hardcoded!

The routed solution I suggested should fix this problem if you you have the IP of the linux box on the interface connected to the embedded box set as the hard coded gateway.

IP on Linux box eth1 = hardcoded gateway from embeded device.

Don't forget to set FORWARD_IPV4=true as mentioned in my previous post.