On Sunday 08 December 2002 01:42 am, Frank Wallingford wrote: > Here's one I can't quite wrap my head around. > iptables -t nat -A OUTPUT -d 192.168.0.100 --dport 22 \ > -j DNAT --to 192.168.0.200 > > Now, I'm only trying to get this one case working: > > (from machine 192.168.0.100:) ssh 192.168.0.100 > > and I'd like it to connect to 192.168.0.200. I'm not sure why it > isn't. > From what I understand, this should be the case: > (1) The packet starts as > SOURCE: 192.168.0.100:port_a (some random port) > DEST: 192.168.0.100:22 > (2) While traversing the OUTPUT chain in the NAT table, it's changed: > SOURCE: 192.168.0.100:port_a > DEST: 192.168.0.200:22 > (3) The packet is sent out > (4) Host 192.168.0.200 sees it and sends the reply > SOURCE: 192.168.0.200:22 > DEST: 192.168.0.100:port_a > (5) The packet arrives, and is un-snat'd: > SOURCE: 192.168.0.100:22 > DEST: 192.168.0.100:port_a > (6) The local process sees a reply from the local machine, and accepts > it. > > What's actually happening is that it's getting as far as (4), and the > reply comes in, but the local process doesn't accept it. I'm guessing > this is because it wasn't un-snat'd correctly, or I'm doing something > wrong. Are you sure you are allowing it through the INPUT chain? You can confirm whether or not it is reaching that point with two log rules, one as first in PREROUTING, one as first in INPUT. If it hits both, then it is likely being dropped in INPUT, but is getting unDNATted properly. If it gets here, check the info on the packet logged at the INPUT chain and make sure that you have a rule to allow it through. j
