LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-04-2015, 01:28 AM   #1
darcistern
LQ Newbie
 
Registered: Nov 2008
Posts: 13

Rep: Reputation: 0
transparent DNAT Port Forwarding with iptables


I want to forward traffic to one port to another server.

I am doing this in a lab on virtual machines, all IP's will be public addresses in production.

client 192.168.10.100 ->
server 192.168.10.200 : 1900 ->
server2 192.168.10.222 : 1900

Client connects to server on port 1900 which should forward to server2 on port 1900.

This works (on server):
iptables -t nat -I PREROUTING -p tcp -i eth0 -d 192.168.10.200 -dport 1900 -j DNAT --to 192.168.10.222:1900
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 192.168.10.200

The problem is server2 see's the IP of server and not the client IP.

Thanks
 
Old 05-04-2015, 03:07 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
You nedd to remove the second rule this sets all the traffic leaving to 192.168.10.200 which is why the second server see the ip of the first server and not the client.
 
Old 05-04-2015, 04:18 PM   #3
darcistern
LQ Newbie
 
Registered: Nov 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by lazydog View Post
You nedd to remove the second rule this sets all the traffic leaving to 192.168.10.200 which is why the second server see the ip of the first server and not the client.
It doesn't work at all without a POSTROUTING rule, and I tried MASQUERADING and that had the same effect with the server2 getting the wrong ip.
 
Old 05-05-2015, 07:20 AM   #4
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
So you want all traffic to pass through 192.168.10.200 and if that is the case then the second server is going to need to see the ip address of the first server in order to route traffic back.
 
Old 05-06-2015, 12:44 AM   #5
darcistern
LQ Newbie
 
Registered: Nov 2008
Posts: 13

Original Poster
Rep: Reputation: 0
No, only traffic destined to port 1900 should go to the second server, and the second server should see the IP of the client source.

Kindof like on a netgear router or something, you forward a port to a machine inside the network. I'm sure you can do this with linux as many routers use linux.
 
Old 05-06-2015, 08:03 AM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
That router does a DNAT and SNAT just like you are doing now. I haven't found a way at this time to do it any other way. This is requuired to ensure that the client will get the return traffic from the host it sent it to otherwise the client will drop the connection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables DNAT Port Forwarding gamewolf Linux - Server 2 10-08-2011 11:44 AM
SSH Port Forwarding with IPTables & DNAT MercurioBlue Linux - Networking 2 08-24-2006 11:17 PM
Help with iptables/DNAT/forwarding lohb1ac Linux - Networking 2 12-05-2005 08:48 AM
Port Forwarding using iptables-DNAT radupastia Linux - Networking 2 07-18-2003 02:14 AM
IPTables - DNAT, SNAT, port forwarding FunkFlex Linux - Security 2 01-15-2002 07:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration