[seems the mailing list IP is missed. adding it]
On 09/16/2013 06:03 PM, Manu wrote:
For me the traffic is being dropped in the right place as when I do a
netstat on the 192.168.2.100 I see that there is an open connection
with 180.180.180.180 (<-- my server running iptable).
But the IP of the computer i'm running my test from is 200.200.200.200
There is the strange point as when I use the same rules for forwarding
a port to a computer on the same subnet than the server i see a
connection from 200.200.200.200 and not 180.180.180.180
It seem that iptables rewrite the from ip adresse when it does port
forwarding to a computer which is not on the same subnet.
I think, some SNAT rule is doing that (may be as a side effect of your
VPN configuration?).
I hope 'im clear enough. Tell me if it is not the case.
Regards,
Vignesh
Le 16/09/2013 11:23, Vigneswaran R a écrit :
On 09/09/2013 08:04 PM, Manu wrote:
Hello
I'm running iptable v1.4.7 on a linux with two NIC.
One has adress 192.168.1.31 (the lan)
The other has a public IP. Let's say 180.180.180.180
On the lan, I have a VPN which join two network : 192.168.1.0 and
192.168.2.0
I'm trying to forward 5900 port (vnc) to a computer which is on the
second subnet with adress 192.168.2.100
iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 5900 -j DNAT
--to-destination 192.168.2.100:5900
iptables -A FORWARD -p tcp -d 192.168.2.100--dport 5900 -j ACCEPT
and it doesn't work
Does this machine have route to 192.168.2.0 network? Try to use
tcpdump and see where the traffic is being dropped.
Regards,
Vignesh
I've tried the same on the local network with adress 192.168.1.99
iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 5900 -j DNAT
--to-destination 192.168.1.99:5900
iptables -A FORWARD -p tcp -d 192.168.1.99--dport 5900 -j ACCEPT
and it's working like a charm
I've done my test with another computer with public adress
200.200.200.200
I've done a netstat one the two computers
on 192.168.2.100 i've seen he's talking to 180.180.180.180 (<-- my
server running iptable)
on 192.168.1.99 i've seen he's talking to 200.200.200.200 (<-- the
computer on internet which i'm running my test from)
thanks for your attention
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
