I have been tearing my hair out with this (and not enough left to keep going).
I have a linux box
(Linux raspberrypi 3.2.27+ #285 PREEMPT Tue Nov 20 17:49:40 GMT 2012 armv6l GNU/Linux "Debian GNU/Linux wheezy/sid")
Single ethernet interface in a heavily filtered DMZ with external ports fwd'd that can access an internal IP's (different subnet).
I want to forward the traffic. Should be simple I thought and in fact I have it working using 'nc' as a 'one hit' as follows
Code:
mkfifo backpipe
nc -l 80 0<backpipe | nc 172.16.100.102 80 1>backpipe
But I need this to be a permanent fwd. So after much googling tried to set up iptables to do this.
IP of pi is 192.168.1.8 it has an external IP with management port and port 80 fwd's at the router to the internal ip. The IP of the service I am trying to fwd to is 172.16.100.102 which is accessible as I said above from the PI (but not explicitly in the pi's routing table, just accessible via the default route)
I have enabled fwd'ing on the eth0 interface
Code:
"echo '1' > /proc/sys/net/ipv4/conf/eth0/forwarding"
I have tried several slightly different rulesets but feel the following is the closest
Code:
iptables -t nat -A PREROUTING --dst 192.168.1.8 -p tcp --dport 80 -j DNAT --to-destination 172.16.100.102:80
iptables -t nat -A POSTROUTING -p tcp --dst 172.16.100.102 --dport 80 -j SNAT --to-source 192.168.1.8
iptables -t nat -A OUTPUT --dst 192.168.1.8 -p tcp --dport 80 -j DNAT --to-destination 172.16.100.102:80
this gives me the following info
Code:
root@raspberrypi:/home/pi# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.8 tcp dpt:80 to:172.16.100.102:80
Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.8 tcp dpt:80 to:172.16.100.102:80
Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 0.0.0.0/0 172.16.100.102 tcp dpt:80 to:192.168.1.8
I know it's working to an extent (that is doing something to port 80) as if I have the port open and logging ( nc -l localhost 80 > log.txt ) and then implement the iptables rules above I can no longer connect to port 80 until I purge the rules again.
I also notice that iptables doesn't seem to actually 'open' the port.
So questions are twofold.
1) do I have to activate a service to open the port so that the iptables rules can then apply or is there a way to have iptables open the port?
2) how do I make this damn thing work?
Any input greatly appreciated.