Re: newbie: forward rule to itself

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Mauricio Tavares a écrit :
> 	Let's say I have server1 with two ports, eth0 and eth0, and server2 

Did you mean "eth0 and eth1" ?

> whose eth0 port is connected to server1's eth1. And let's say the subnet 
> between them is 192.168.1.0/24 while the one server1's eth0 is connected 
> to is 192.168.4.0/24.
> 
> I have the following rules to forward port 6969 coming on eth0 on 
> server1 to port 6969 on server2's eth0:
> 
> iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to 
> 192.168.1.server2:6969
> iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state 
> NEW --dport 6969 -j ACCEPT

This rule in INPUT is pointless because
1) packets have already been DNATed by the previous rule in PREROUTING,
2) the new destination is a remote address, so packets go through
FORWARD, not INPUT.

> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> Any machine in 192.168.4.0/24 seems to be able to get to server2 by 
> using 192.168.1.server1:6969. But, if I try to connect to 
> 192.168.1.server1:6969 on server1 itself, I will not be forwarded to 
> server2. What am I missing here?

As Jan explained, the PREROUTING chain of the 'nat' table sees only
incoming packets received from outside. DNAT for locally generated
packets must be done in the OUTPUT chain.

PS : If you want the connection to work from server2 too, you must add a
 specific MASQUERADE/SNAT for it too in POSTROUTING.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux