Hi Carlos,
-----Original Message-----
From: Carlos Costa [mailto:ccosta@gmail.com]
I'm trying to doing something simple with iptables: redirect one port
of my firewall machine to other port at other machine.
This is what I do:
iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to
192.168.1.3:139
That rule is ok.
In the FORWARD chain my policy is ACCEPT, so I assume that the packet
must go to 192.168.1.3:139 (I am logging the packets in FORWARD, and
there is no traffic).
I assume that 192.168.1.2:81 must be equivalent to 192.168.1.3:139, but:
merry:~# telnet 192.168.1.2 81
Trying 192.168.1.2...
telnet: Unable to connect to remote host: Connection refused
merry:~# telnet 192.168.1.3 139
Trying 192.168.1.3...
Connected to 192.168.1.3.
What I am doing wrong? Thank you very much,
Carlos.
You can do it by specifying specifically what you need to forward, from
where to where; your current default policy only tells Netfilter that you
allow all forwarding. This forward rule (after your PREROUTING rule) should
do the trick:
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 139 -j
ACCEPT
However, even though this would do act as an implicit SNAT the proper way to
do it is to do SNAT at the POSTROUTING Chain, with a rule like this:
iptables -A POSTROUTING -t nat -p tcp -d 192.168.1.3 --dport 139 -s
192.168.1.3 -j SNAT --to 192.168.1.2
This will replace the source IP of your client with that of the firewall for
traffic going to the server (from the firewall). Right now, your server
should be seeing packets with the src IP of your client sent, by the your
firewall (put a sniffer in there and you will see that the PREROUTING rule
only changed the destination address but not the source address). When the
server replies it will reply to your client's ip address directly. At that
point, your client is not expecting an answer from 192.168.1.3 but from
192.168.1.2, so it will discard those responses and should time out its own
requests.
After you apply the rule above to the POSTROUTING chain in the nat table the
firewall will do both translations (the source, SNAT, and the destination IP
address, DNAT). So, the traffic will be sent to 192.168.1.3 and the source
of that traffic will be 192.168.1.2 (FW). The server will reply to your
firewall and this one will in turn translate back the traffic to your client
with the client's ip address as destination and the firewall's ip address as
source (i.e. all will be NATed nicely through the firewall, transparently to
both client and server).
In another scenario, you might have redirection traversing different
networks through the firewall (i.e. your client and the server are in
different networks and the firewall is connected to each network using a
different interface). For example:
(client network) ------- ip1[FW]ip2-------- (server network)
Putting some example values for addresses and interfaces:
Client: 192.168.0.1
FW ip1: 192.168.0.254 (eth0)
FW ip2: 10.0.0.254 (eth1)
Server: 10.0.0.33
You can set the default policy for INPUT, OUTPUT and FORWARD to DROP and
with these 3 rules the client should still be able to connect to the server
(on port 139) while connecting to port 81 on the firewall, using
192.168.0.254:
iptables -t nat -A PREROUTING -p tcp --dport 81 -I eth0 -j DNAT --to
10.0.0.33:139
iptables -A FORWARD -p tcp -d 192.168.0.254 --dport 139 -i eth0 -o eth1 -j
ACCEPT
iptables -A POSTROUTING -t nat -p tcp -d 10.0.0.33 --dport 139 -s
192.168.0.254 -o eth1 -j SNAT --to 10.0.0.254
I hope this helps.
Regards,
Omar Herrera
