[H-GEN] iptables and port forwarding

Johann johann at spot-the-dog.com
Wed May 21 22:13:55 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Hi All,
            I am playing around with port forwarding, so I set up 3 
machines (A=external, B=gateway, C=internal, but they aren't actually 
connected to anything apart from themselves). Each machine runs redhat 
8. so a configuration diagram is thus:

eth0                             eth1                             eth0   
                 eth1             and an eth0 of 192.168.105.7 so I
192.168.105.6         (192.168.105.201)         (10.0.0.201)       
(10.0.0.200)          access the machine directly
external,                                     gateway                    
             internal                from A without going through B
machine A          <------->         machine B          <-------->     
machine C  
gateway set to                                                           
                    gateway set to
192.168.105.201                                                         
                    10.0.0.201

what I am trying to do is port forward a ssh request to machine B(eth1) 
to machine C (eth0)
so after reading the netfilter howto and surfing the net for examples I 
chose the following iptables rule  

iptables -A PREROUTING -t nat -i eth1 -d 192.168.105.201 -p tcp --dport 
22 -j DNAT --to 10.0.0.200:22

however this does not do what I thought it would do, the connection just 
times out. So I am guessing that I have to do some more packet 
manipulation, but I am lost as to what that is.


As this is not connected to the internet, so hosts.deny is not set, and 
apart from masquerading, no other iptables rules have been set. Now I 
can ssh to machine B and then to machine C without any problems, so the 
network conections are okay.

I also tried

iptables -A PREROUTING -t nat -i eth1 -d 192.168.105.201 -j DNAT --to 10.0.0.200

to see if I could port forward everything, and that also fails to work

I have set /proc/sys/net/ipv4/ip_forward to 1

and I because the final setup I want to achieve nats the internal to the external I also set

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
(which appears before the PREROUTING rule)

plus the default policy for all chains is ACCEPT


now if I log iptables with the 

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "


I get the following entries, without even trying to connect with anything

May 22 12:08:30 lnxsrv kernel: OUTPUT_DROP: IN= OUT=eth0 SRC=10.0.0.201 DST=10.0.0.200 LEN=132 TOS=0x10 PREC=0x00 TTL=64 ID=46811 DF PROTO=TCP SPT=22 DPT=1034 WINDOW=9648 RES=0x00 ACK PSH URGP=0
May 22 12:08:30 lnxsrv kernel: INPUT_DROP: IN=eth0 OUT= MAC=00:40:f4:64:30:75:00:00:e8:d5:69:cb:08:00 SRC=10.0.0.200 DST=10.0.0.201 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=28542 DF PROTO=TCP SPT=1034 DPT=22 WINDOW=15008 RES=0x00 ACK URGP=0

and they seem to repeat every minute or so, which seems to indicate that packets are just dropped, but I have no idea why.

any ideas?

thanks in advance

Johann

--
Johann Kwiatkowski
Spot The Dog Graphics
ph: (07) 33233677
fax: (07) 33233677
mobile: 0418 797 419
web: www.spot-the-dog.com



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list