[ale] port forwarding for iptables.
Jim Kinney
jim.kinney at gmail.com
Tue Jun 9 14:36:40 EDT 2009
On Tue, Jun 9, 2009 at 2:23 PM, JK<jknapka at kneuro.net> wrote:
> Jim Kinney wrote:
>> You need to ad the reverse forward to get the data back to the original system.
>>
>> sysA port A -> iptables -> sysB port B to send data
>> sysB port B -> iptables -> sysA port A to receive data
>
>
> No, the DNAT target should handle this automagically.
I had problems doing this with a port change a (long) while back so I
still setup a static return path. But, yes, DNAT should handle it
automatically.
>
> What you DO need, though, is:
>
> * Your FORWARD chain on the router has to be accepting this traffic; and
for some feeble-minded reason I thought the state flag was set by the
DNAT and thus is now acceptable by the --state ESTABLISHED,RELATED
line from my prior post. Or maybe I do have an explicit route through
for a port change dnat.
Hmm. I checked one machine and it has explicit FORWARD rules (and it's
known to work) and another machine has only an ESTABLISHED rule and I
can't recall as the receiving system is gone (and I have now closed
that door - oops!). I'm assuming it worked since it was done a long
time ago.
But yes, the FORWARD rule will certainly work.
>
> * You may also need a *route* on the target machine to get the traffic
> back to the source, if the target machine doesn't know how to route traffic
> to that host. Or you could SNAT the forwarded traffic so the target machine
> thinks it's coming from the router doing the forwarding. I've used both of
> those techniques, and I prefer to use standard routing rather than SNAT
> when that's feasible.
>
> (I have an unreasonably complicated network at home, and have to deal
> with this stuff all the time :-P )
>
> -- JK
>
>
>> It is possible to do this with -m state --state RELATED,ESTABLISHED -j ACCEPT
>> I think it needs to be in the FORWARD/INPUT chain in filter table.
>> (INPUT if the iptables machine is one of the sysA/sysB machines,
>> FORWARD if just an intermediary machine).
>>
>> This will also need ip_conntrack (connection tracking) module
>>
>> On Tue, Jun 9, 2009 at 1:52 PM, Atlanta Geek<atlantageek at gmail.com> wrote:
>>> The log fix was correct. Thanks Jim,
>>> I now see my PREROUTING log showing up
>>> But the forwarding does not appear to be working. any suggestions?
>>>
>>> On Tue, Jun 9, 2009 at 1:42 PM, JK<jknapka at kneuro.net> wrote:
>>>> Jim Kinney wrote:
>>>>> all of the -j LOG calls will never trigger because the packet has
>>>>> already left the chain due to the line before it with the -j ACCEPT or
>>>>> -j DNAT. Put the log before the jump call.
>>>>>
>>>>> -j REDIRECT is what you want to use. DNAT is for IP address. REDIRECT
>>>>> is for port forwarding.
>>>>
>>>> If I am not mistaken, REDIRECT only allows you to forward to a port on
>>>> the local machine. If you want to forward on to another machine, you
>>>> need DNAT. "man iptables" backs me up on this, yay.
>>>>
>>>> -- JK
>>>>
>>>> --
>>>> Still sigless.
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>
>>>
>>> --
>>> http://www.atlantageek.com
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>
>>
>>
>
>
> --
> A closed mouth gathers no feet.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
--
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness
More information about the Ale
mailing list