[ale] port forwarding for iptables.

Jim Kinney jim.kinney at gmail.com
Tue Jun 9 14:05:33 EDT 2009


You need to ad the reverse forward to get the data back to the original system.

sysA port A -> iptables -> sysB port B to send data
sysB port B -> iptables -> sysA port A to receive data

It is possible to do this with -m state --state RELATED,ESTABLISHED -j ACCEPT
I think it needs to be in the FORWARD/INPUT chain in filter table.
(INPUT if the iptables machine is one of the sysA/sysB machines,
FORWARD if just an intermediary machine).

This will also need ip_conntrack (connection tracking) module

On Tue, Jun 9, 2009 at 1:52 PM, Atlanta Geek<atlantageek at gmail.com> wrote:
> The log fix was correct.  Thanks Jim,
> I now see my PREROUTING log showing up
> But the forwarding does not appear to be working.  any suggestions?
>
> On Tue, Jun 9, 2009 at 1:42 PM, JK<jknapka at kneuro.net> wrote:
>> Jim Kinney wrote:
>>> all of the -j LOG calls will never trigger because the packet has
>>> already left the chain due to the line before it with the -j ACCEPT or
>>> -j DNAT. Put the log before the jump call.
>>>
>>> -j REDIRECT is what you want to use. DNAT is for IP address. REDIRECT
>>> is for port forwarding.
>>
>>
>> If I am not mistaken, REDIRECT only allows you to forward to a port on
>> the local machine.  If you want to forward on to another machine, you
>> need DNAT.  "man iptables" backs me up on this, yay.
>>
>> -- JK
>>
>> --
>> Still sigless.
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>
>
>
> --
> http://www.atlantageek.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>



-- 
-- 
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness



More information about the Ale mailing list