[ale] port forwarding for iptables.

JK jknapka at kneuro.net
Tue Jun 9 14:38:37 EDT 2009


[Following-up myself.]

Hmm, actually I think we may be saying similar things in different
words.

Assuming the forward traffic IS in fact getting through router/forwarder
machine R and on to destination host:port D:P (which can be verified with
tcpdump as I mentioned earlier), then the problem is most likely to be that
host D doesn't know how to get reply traffic back to the originating
host O.  DNAT does not change the SOURCE IP, so chances are D merely
needs a route for O pointing to the router machine R.

This SHOULD not require anything further on R to work, since presumably
R is already accepting traffic forwarded between D and the outside
world. Also the DNAT rule should automagically take care of all
necessary address rewriting on connections that it concerns itself
with, including replacing D's IP with R's in reply traffic.

-- JK

JK wrote:
> Jim Kinney wrote:
>> You need to ad the reverse forward to get the data back to the original system.
>>
>> sysA port A -> iptables -> sysB port B to send data
>> sysB port B -> iptables -> sysA port A to receive data
> 
> 
> No, the DNAT target should handle this automagically.
> 
> What you DO need, though, is:
> 
> * Your FORWARD chain on the router has to be accepting this traffic; and
> 
> * You may also need a *route* on the target machine to get the traffic
> back to the source, if the target machine doesn't know how to route traffic
> to that host.  Or you could SNAT the forwarded traffic so the target machine
> thinks it's coming from the router doing the forwarding.  I've used both of
> those techniques, and I prefer to use standard routing rather than SNAT
> when that's feasible.
> 
> (I have an unreasonably complicated network at home, and have to deal
> with this stuff all the time :-P  )
> 
> -- JK
> 
> 
>> It is possible to do this with -m state --state RELATED,ESTABLISHED -j ACCEPT
>> I think it needs to be in the FORWARD/INPUT chain in filter table.
>> (INPUT if the iptables machine is one of the sysA/sysB machines,
>> FORWARD if just an intermediary machine).
>>
>> This will also need ip_conntrack (connection tracking) module
>>
>> On Tue, Jun 9, 2009 at 1:52 PM, Atlanta Geek<atlantageek at gmail.com> wrote:
>>> The log fix was correct.  Thanks Jim,
>>> I now see my PREROUTING log showing up
>>> But the forwarding does not appear to be working.  any suggestions?
>>>
>>> On Tue, Jun 9, 2009 at 1:42 PM, JK<jknapka at kneuro.net> wrote:
>>>> Jim Kinney wrote:
>>>>> all of the -j LOG calls will never trigger because the packet has
>>>>> already left the chain due to the line before it with the -j ACCEPT or
>>>>> -j DNAT. Put the log before the jump call.
>>>>>
>>>>> -j REDIRECT is what you want to use. DNAT is for IP address. REDIRECT
>>>>> is for port forwarding.
>>>> If I am not mistaken, REDIRECT only allows you to forward to a port on
>>>> the local machine.  If you want to forward on to another machine, you
>>>> need DNAT.  "man iptables" backs me up on this, yay.



More information about the Ale mailing list