Wednesday, July 13, 2005

Re: Simple IP-Forwarding problem

Hi Dave,
thank you for your quick response.

I have tried your suggestion, but the connection still does not work.
I think the Problem is the path from the destination-server back to the
client.

I'm no expert, so correct me if I'm wrong but as far as I know DNAT
rewrites only the destination Adress, but the source adress stays the
same - and at the time where the destination-server tries to send a
response to the source-adress (still my pc) the connection can not be
established, due to firewall restrictions.

My PC (50.0.0.1) Server (100.0.0.1) Destination (150.0.0.1)
------------------------------------------------------------------
Request:
SRC=50.0.0.1
DST=100.0.0.1:20001
------------------------------------------------------------------
Translation & Forwarding
SRC=50.0.0.1
DST=150.0.0.1:22
------------------------------------------------------------------
Incoming Request
SRC=50.0.0.1
DST=150.0.0.1:22 -> Works

Response
SRC=150.0.0.1
DST=50.0.0.1
^^ -> No direct
connection possible

In my optionen iptables has to do a complete Masquerading, so that
the path back to the client is also NATed.

My PC (50.0.0.1) Server (100.0.0.1) Destination (150.0.0.1)
------------------------------------------------------------------
Request:
SRC=50.0.0.1
DST=100.0.0.1:20001
------------------------------------------------------------------
Translation & Forwarding
SRC=100.0.0.1
DST=150.0.0.1:22
------------------------------------------------------------------
Incoming Request
SRC=100.0.0.1
DST=150.0.0.1:22 -> Works

Response
SRC=150.0.0.1
DST=100.0.0.1 -> Ok
------------------------------------------------------------------
Translation & Forwarding
SRC=100.0.0.1
DST=50.0.0.1
------------------------------------------------------------------
Client gets Response:
SRC=100.0.0.1
DST=50.0.0.1

The Problem is that i dont know how i can do SNAT and DNAT at the same
time and I can't use static Entries for the back-path, becourse the
IP-address of the client is dynamic.

Do you have any ideas?

Thanks & greetings,
-Marc-

David Nicholls schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marc Mueller wrote:
>
>>Hi guys,
>>
>
>
> <snip>
>
>>
>>Is there any way to do that with iptables?
>>The only thing I have found is portforwarding on the local machine,
>>but I can not figure out how to forward connections to another machine.
>>
>
>
> something like:
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d xx.xx.xx.xx --dport
> 60001 -j DNAT --to 192.168.xx.xx:22
> iptables -A FORWARD -p tcp -i eth0 -d 192.168.xx.xx --dport 22 -j ACCEPT
>
> should do it.
>
> HTH
>
> Dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFC1ODC62r58u1gKlkRAro4AKCJCMClFmv6SGHtbThy7Mi3zJQGUwCaAmrV
> iPt2xtgMY+E/a4uuW8uCvlo=
> =tOuO
> -----END PGP SIGNATURE-----
>
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

at

No comments:

Post a Comment