[ale] port forwarding for iptables.
Atlanta Geek
atlantageek at gmail.com
Tue Jun 9 14:57:13 EDT 2009
One last note. Right now the Client (doing the telnet), the proxy
server( running iptables) and the server (final destination of
traffic) is all on the same network.
On Tue, Jun 9, 2009 at 2:52 PM, Jim Kinney<jim.kinney at gmail.com> wrote:
> Hmm. More thoughts. Is the receiving system open to receive traffic on
> the DNAT port?
>
> On Tue, Jun 9, 2009 at 2:38 PM, JK<jknapka at kneuro.net> wrote:
>> [Following-up myself.]
>>
>> Hmm, actually I think we may be saying similar things in different
>> words.
>>
>> Assuming the forward traffic IS in fact getting through router/forwarder
>> machine R and on to destination host:port D:P (which can be verified with
>> tcpdump as I mentioned earlier), then the problem is most likely to be that
>> host D doesn't know how to get reply traffic back to the originating
>> host O. DNAT does not change the SOURCE IP, so chances are D merely
>> needs a route for O pointing to the router machine R.
>>
>> This SHOULD not require anything further on R to work, since presumably
>> R is already accepting traffic forwarded between D and the outside
>> world. Also the DNAT rule should automagically take care of all
>> necessary address rewriting on connections that it concerns itself
>> with, including replacing D's IP with R's in reply traffic.
>>
>> -- JK
>>
>> JK wrote:
>>> Jim Kinney wrote:
>>>> You need to ad the reverse forward to get the data back to the original system.
>>>>
>>>> sysA port A -> iptables -> sysB port B to send data
>>>> sysB port B -> iptables -> sysA port A to receive data
>>>
>>>
>>> No, the DNAT target should handle this automagically.
>>>
>>> What you DO need, though, is:
>>>
>>> * Your FORWARD chain on the router has to be accepting this traffic; and
>>>
>>> * You may also need a *route* on the target machine to get the traffic
>>> back to the source, if the target machine doesn't know how to route traffic
>>> to that host. Or you could SNAT the forwarded traffic so the target machine
>>> thinks it's coming from the router doing the forwarding. I've used both of
>>> those techniques, and I prefer to use standard routing rather than SNAT
>>> when that's feasible.
>>>
>>> (I have an unreasonably complicated network at home, and have to deal
>>> with this stuff all the time :-P )
>>>
>>> -- JK
>>>
>>>
>>>> It is possible to do this with -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>> I think it needs to be in the FORWARD/INPUT chain in filter table.
>>>> (INPUT if the iptables machine is one of the sysA/sysB machines,
>>>> FORWARD if just an intermediary machine).
>>>>
>>>> This will also need ip_conntrack (connection tracking) module
>>>>
>>>> On Tue, Jun 9, 2009 at 1:52 PM, Atlanta Geek<atlantageek at gmail.com> wrote:
>>>>> The log fix was correct. Thanks Jim,
>>>>> I now see my PREROUTING log showing up
>>>>> But the forwarding does not appear to be working. any suggestions?
>>>>>
>>>>> On Tue, Jun 9, 2009 at 1:42 PM, JK<jknapka at kneuro.net> wrote:
>>>>>> Jim Kinney wrote:
>>>>>>> all of the -j LOG calls will never trigger because the packet has
>>>>>>> already left the chain due to the line before it with the -j ACCEPT or
>>>>>>> -j DNAT. Put the log before the jump call.
>>>>>>>
>>>>>>> -j REDIRECT is what you want to use. DNAT is for IP address. REDIRECT
>>>>>>> is for port forwarding.
>>>>>> If I am not mistaken, REDIRECT only allows you to forward to a port on
>>>>>> the local machine. If you want to forward on to another machine, you
>>>>>> need DNAT. "man iptables" backs me up on this, yay.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>
>
>
> --
> --
> James P. Kinney III
> Actively in pursuit of Life, Liberty and Happiness
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
http://www.atlantageek.com
More information about the Ale
mailing list