[H-GEN] iptables and port forwarding

Tony Nugent tony at linuxworks.com.au
Wed May 21 23:24:29 EDT 2003


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thu May 22 2003 at 12:13, Johann wrote:

> what I am trying to do is port forward a ssh request to machine B(eth1)
> to machine C (eth0)
> so after reading the netfilter howto and surfing the net for examples I
> chose the following iptables rule
> 
> iptables -A PREROUTING -t nat -i eth1 -d 192.168.105.201 -p tcp --dport
> 22 -j DNAT --to 10.0.0.200:22
> 
> however this does not do what I thought it would do, the connection just
> times out. So I am guessing that I have to do some more packet
> manipulation, but I am lost as to what that is.

> and I because the final setup I want to achieve nats the internal
> to the external I also set
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> (which appears before the PREROUTING rule)

This will work, but for static IPs it is better to use SNAT and DNAT
rather than MASQUERADE.

(The iptables howto talks about the differences: the MASQUERADE
target is for dynamic IPs with the contrack code droping any
connections if the link goes down, while SNAT and DNAT attempt to
maintain connections with static IPs).

> any ideas?

A routing issue?  What is the output of "/sbin/ip route" on the box
doing the port-forwarding?  Does it show the necessary routes to
allow this to happen?  Does the 10.0.0.200 box have a route back to
the originating one?

Also check the output of tcpdump to see what it happening (one
instance on each interface on the router).

You can also continuously monitor the output of "iptables -nvL" to
see what rules are getting packet hits...

	showiptables () { iptables -nvL ; echo ; iptables -t nat -nvL ; }
	export -f showiptables
	watch showiptables

> thanks in advance

With the right magic spells, you'll be able to get this working.

> Johann

Cheers
Tony

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list