Re: PREROUTING to a non local subnet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Try to include a source NAT rule to ensure symmetrical routing.

iptables -A PREROUTING -t nat -p tcp  -i eth1 --dport 5900 -j DNAT
--to-destination 192.168.2.100:5900
iptables -A POSTROUTING -t nat -p tcp -d 192.168.2.100 --dport 5900 -j
MASQUERADE
iptables -A FORWARD -p tcp -d 192.168.2.100--dport 5900 -j ACCEPT


2013/9/16 Manu <traqueur@xxxxxxxxxxxxxxxx>:
> Hello
>
> Nobody knows if it possible ?
>
>
> Le 09/09/2013 16:34, Manu a écrit :
>>
>> Hello
>>
>> I'm running iptable v1.4.7 on a linux with two NIC.
>> One has adress 192.168.1.31 (the lan)
>> The other has a public IP. Let's say 180.180.180.180
>>
>> On the lan, I have a VPN which join two network : 192.168.1.0 and
>> 192.168.2.0
>>
>> I'm trying to forward 5900 port (vnc) to a computer which is on the second
>> subnet with adress 192.168.2.100
>> iptables -A PREROUTING -t nat -p tcp  -i eth1 --dport 5900 -j DNAT
>> --to-destination 192.168.2.100:5900
>> iptables -A FORWARD -p tcp -d 192.168.2.100--dport 5900 -j ACCEPT
>> and it doesn't work
>>
>> I've tried the same on the local network with adress 192.168.1.99
>> iptables -A PREROUTING -t nat -p tcp  -i eth1 --dport 5900 -j DNAT
>> --to-destination 192.168.1.99:5900
>> iptables -A FORWARD -p tcp -d 192.168.1.99--dport 5900 -j ACCEPT
>> and it's working like a charm
>>
>> I've done my test with another computer with public adress 200.200.200.200
>>
>> I've done a netstat one the two computers
>> on 192.168.2.100 i've seen he's talking to 180.180.180.180 (<-- my server
>> running iptable)
>> on 192.168.1.99 i've seen he's talking to 200.200.200.200 (<-- the
>> computer on internet which i'm running my test from)
>>
>> thanks for your attention
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux