В Птн, 05/02/2010 в 13:13 -0500, Dan Daugherty пишет: > Thanks. I tried adding the SNAT entry and it still fails the same > way. I need to enable logging to see where the packets are still > being dropped. I've never had to enable logging so I need to check > the docs and get some results. First, check the rule counters with iptables -t nat -nvL Then tcpdump on both 10.117.1.205 and 10.117.1.203. > 2010/2/5 Покотиленко Костик <casper@xxxxxxxxxxxx> > В Птн, 05/02/2010 в 10:47 -0500, Dan Daugherty пишет: > > > Normally I wouldn't have a problem with this but I'm doing > something a > > bit different than I would normally do. > > I have a RHEL5 server with one NIC that is being used as a > router. My > > problem is that I can't seem to completely forward requests > off of > > this box using iptables. If I specify a port redirection to > a local > > port, it works fine but when I specify forwarding that port > to another > > machine, it fails. I think the request is being sent > through but the > > response isn't making it back to me. I can have a clean > iptables to > > start and only need to execute one command to make the local > forward > > work and since I'm not technically using the machine as a > gateway, I'm > > not sure if all the INPUT, OUTPUT and FORWARD chain commands > are > > necessary. > > > > 10.117.1.205 is the server in question > > 10.117.1.203 is the server I am trying to forward to > > > > Working command: > > iptables -t nat -A PREROUTING -p tcp --dport 1524 -i eth0 -j > DNAT --to > > 10.117.1.205:22 > > > > Using telnet to test: > > telnet 10.117.1.205 1524 > > Trying 10.117.1.205... > > Connected to -----------. > > Escape character is '^]'. > > SSH-2.0-OpenSSH_4.3 > > > > Failing command: > > iptables -t nat -A PREROUTING -p tcp --dport 1524 -i eth0 -j > DNAT --to > > 10.117.1.203:1524 > > > > Telnet never completes: > > telnet 10.117.1.205 1524 > > Trying 10.117.1.205... > > > The problem here is that no actual routing is being done > because all > hosts are in the same IP net. > > This is what happens: > > 1. You send request: x.x.x.x:X -> > 10.117.1.205:1524 > 2. Server is doing DNAT: x.x.x.x:X -> > 10.117.1.203:1524 > 3. 10.117.1.203 is responding: 10.117.1.203:1524 -> x.x.x.x:X > 4. x.x.x.x doesn't expect packets from 10.117.1.203, because > it was > initially connecting to 10.117.1.205 and drops the packet. > > For this to work you should also do SNAT: > > iptables -t nat -A POSTROUTING -o eth0 -d 10.117.1.203 -p tcp > --dport > 1524 -j SNAT --to-source 10.117.1.205 > > This way responce packets will go back to 10.117.1.205 and > then to > sender: > > 1. You send request: x.x.x.x:X -> > 10.117.1.205:1524 > 2. Server is doing DNAT: x.x.x.x:X -> > 10.117.1.203:1524 > 3. Server is doing SNAT: 10.117.1.205:X -> > 10.117.1.203:1524 > 4. 10.117.1.203 is responding: 10.117.1.203:1524 -> > 10.117.1.205:X > 5. Server is doing unSNAT: 10.117.1.203:1524 -> x.x.x.x:X > 6. Server is doing unDNAT: 10.117.1.205:1524 -> x.x.x.x:X > 7. x.x.x.x gets legal responce 10.117.1.205:1524 -> x.x.x.x:X > > -- > Покотиленко Костик <casper@xxxxxxxxxxxx> > > -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
