В Птн, 05/02/2010 в 10:47 -0500, Dan Daugherty пишет: > Normally I wouldn't have a problem with this but I'm doing something a > bit different than I would normally do. > I have a RHEL5 server with one NIC that is being used as a router. My > problem is that I can't seem to completely forward requests off of > this box using iptables. If I specify a port redirection to a local > port, it works fine but when I specify forwarding that port to another > machine, it fails. I think the request is being sent through but the > response isn't making it back to me. I can have a clean iptables to > start and only need to execute one command to make the local forward > work and since I'm not technically using the machine as a gateway, I'm > not sure if all the INPUT, OUTPUT and FORWARD chain commands are > necessary. > > 10.117.1.205 is the server in question > 10.117.1.203 is the server I am trying to forward to > > Working command: > iptables -t nat -A PREROUTING -p tcp --dport 1524 -i eth0 -j DNAT --to > 10.117.1.205:22 > > Using telnet to test: > telnet 10.117.1.205 1524 > Trying 10.117.1.205... > Connected to -----------. > Escape character is '^]'. > SSH-2.0-OpenSSH_4.3 > > Failing command: > iptables -t nat -A PREROUTING -p tcp --dport 1524 -i eth0 -j DNAT --to > 10.117.1.203:1524 > > Telnet never completes: > telnet 10.117.1.205 1524 > Trying 10.117.1.205... The problem here is that no actual routing is being done because all hosts are in the same IP net. This is what happens: 1. You send request: x.x.x.x:X -> 10.117.1.205:1524 2. Server is doing DNAT: x.x.x.x:X -> 10.117.1.203:1524 3. 10.117.1.203 is responding: 10.117.1.203:1524 -> x.x.x.x:X 4. x.x.x.x doesn't expect packets from 10.117.1.203, because it was initially connecting to 10.117.1.205 and drops the packet. For this to work you should also do SNAT: iptables -t nat -A POSTROUTING -o eth0 -d 10.117.1.203 -p tcp --dport 1524 -j SNAT --to-source 10.117.1.205 This way responce packets will go back to 10.117.1.205 and then to sender: 1. You send request: x.x.x.x:X -> 10.117.1.205:1524 2. Server is doing DNAT: x.x.x.x:X -> 10.117.1.203:1524 3. Server is doing SNAT: 10.117.1.205:X -> 10.117.1.203:1524 4. 10.117.1.203 is responding: 10.117.1.203:1524 -> 10.117.1.205:X 5. Server is doing unSNAT: 10.117.1.203:1524 -> x.x.x.x:X 6. Server is doing unDNAT: 10.117.1.205:1524 -> x.x.x.x:X 7. x.x.x.x gets legal responce 10.117.1.205:1524 -> x.x.x.x:X -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
