[Ma-linux] Can't get iptables to forward from one machine to another..
Alexey Toptygin
alexeyt at freeshell.org
Thu Jan 21 13:12:44 EST 2010
On Wed, 20 Jan 2010, Justin Maurer wrote:
> So I have three machines: A, B, and C.
>
> A (10.0.0.1) is a client. The only client, in fact. Essentially, I
> want to whitelist this, and only this IP.
> B (10.0.0.2) is going to be a public-facing server, with port 15000 open
> C (10.0.0.3) is going to be the actual server, hosting the application
> on port 15000.
> iptables -t nat -A PREROUTING -s 10.0.0.1 --dst 10.0.0.2 -p tcp
> --dport 15000 -j DNAT --to-destination 10.0.0.3
> iptables -t nat -A POSTROUTING -s 10.0.0.1 -p tcp --dst 10.0.0.3
> --dport 15000 -j SNAT --to-source 10.0.0.2
> iptables -t nat -A OUTPUT -s 10.0.0.1 --dst 10.0.0.2 -p tcp --dport
> 15000 -j DNAT --to-destination 10.0.0.3
That OUTPUT rule is useless on B, because there will never be traffic
output from B that has 10.0.0.1 as the source address. If you want traffic
originating on B going to its own address on port 15000 to go to C, then
get rid of the -s 10.0.0.1 in the OUTPUT rule. If you only care about
traffic originating on A and going through B, then you don't need the
OUTPUT rule at all.
Some things to check:
I assume the above rules are on machine B? What other rules do you have there?
Do you have any rules on machines A or C?
Do you have net.ipv4.ip_forward = 1 in systcl.conf on machine B and/or
are you turning on IP forwarding after you install the rules?
Have you tried running wireshark/tcpdump on B when you are making
connection attempts? What does it show?
Alexey
More information about the Ma-linux
mailing list