iptables port forwarding - desperation!

Hello all... I've tried for 4 hours and have Google'd every possible
search
term imaginable to solve this problem. I've even stripped my iptables
script down to nearly nothing and I'm getting crazy at this point.

Here's my deal (very simple): I've got 2 networks. An external one
(192.168.1.X) and an internal one (192.168.2.X). A single machine
connects
them with 2 NIC's. eth0 is 192.168.1.240. eth1 is 192.168.2.240. All
I
want to do is forward port 8029 on eth0 to port 8029 on 192.168.2.200
(a
machine on the internal network) on eth1.

I've been testing from a machine on the outer network (192.168.1.50).
I try
to telnet to 192.168.1.240:8029 and get endless timeouts.

Here is my iptables script (even since I went made and decided to allow

everything in a vain attempt to diagnose this):
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

# Setup our policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8029 -j DNAT --to
192.168.2.200:8029

What could be simpler than that?! I'm surely going mad!

>From the machine that sits in the middle, I'll try:
telnet 192.168.2.200 8029
Everything is perfect.

But when I try it from 192.168.1.50 (on the outer network), it times
out.

All the best to anyone who can help.

On 2005-06-16, Mark H <(E-Mail Removed)> wrote:
> Here's my deal (very simple): I've got 2 networks. An external one
> (192.168.1.X) and an internal one (192.168.2.X). A single machine
> connects them with 2 NIC's. eth0 is 192.168.1.240. eth1 is 192.168.2.240.
> All I want to do is forward port 8029 on eth0 to port 8029 on 192.168.2.200

So, if your gateway machine has to do NAT, it also have to do Masquerading
(SNAT). And of course it has to be the default gateway for the "internal"
network or the gateway for the 192.168.1. network.

> But when I try it from 192.168.1.50 (on the outer network), it times out.

My reading of this is: your connection is sent to the gataway that
redirect it to the final machine, but then the connection is not
sent back to the gateway but is sent directly to the originating machine
that discard the packet because you are doing DNAT and not SNAT too.

Davide

--
Windows NT - Insert wallet into Drive A: and press any key to empty.

In addition, I've already set ip_forward up:
echo 1 > /proc/sys/net/ipv4/ip_forward

To no avail.

How can I do SNAT too? Would that solve things? What order in my
script would I do it?

I doubt this is the answer because I've tried a million varieties of
SNAT... but I'm willing to give it a shot. Thanks for the help.

On 2005-06-16, Mark H <(E-Mail Removed)> wrote:
> How can I do SNAT too? Would that solve things?

Well, isn't really clear where the problem lies here. As far as I understood
you start a connection from machine 192.168.1.x to machine 192.168.1.240,
which redirect the connection to 192.168.2.x. But this last machine
receive a connection with origin 192.168.1.x, so she will respond
directly to 192.168.1.x.

Now, if the destination machine knows how to contact 192.168.1.x (meaning:
the gateway/routing is correct) the originator will receive a connection
response from 192.168.2.x but she never contacted 192.168.2.x (the original
connection was directed to 192.168.1.240) so the connection will be dropped.

Snat (or masquerading minimum) will make the connection appear to be
from 192.168.1.240, and this should fix the problem. Otherwise it's
time to do some serious debugging in your connectivity (with a wise
use of tcpdump).

Davide

--
When you need a helpline for breakfast cereals, it's time to start
thinking about tearing down civilisation and giving the ants a go.
--Chris King

Do you know how I would represent this in iptables? I'm feeling like a
dumbass now.

It clearly states here:
http://www.redhat.com/docs/manuals/l...ide/ch-fw.html
(at the bottom)

That all I need to do to redirect a port to a different machine is
PREROUTING with DNAT.

Mark H wrote:

> In addition, I've already set ip_forward up:
> echo 1 > /proc/sys/net/ipv4/ip_forward

I suspect you may have a routing problem.

Is 192.168.2.240 the default gateway for PCs on the 192.168.2.0/24
network? If not, you'll need to add a route on either the PC(s) in
question, or on the default gateway, to make sure that packets destined
for the 192.168.1.0/24 network is sent to 192.168.2.240.

If you don't want to alter the routing, you'll need to set up source NAT
to make the packets from 192.168.1.0/24 appear to come from
192.168.2.240. Try adding this line to your script:

iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 8029 -j SNAT
--to-source 192.168.2.240

KR,

That was it... you figured it out. I wasn't putting a .2.240 in my
SNAT rule... I was putting .1.240. I didn't even understand the rule
until you explained it so elegantly here. You just saved me from
throwing my Tux penguin out the window. Thanks for your help!!

For all those that don't know, KR is a brilliant genius who can, with a
snap of his/her fingers, make the day of a total dumbasses everywhere.

Correction: "make the day of total dumbasses everywhere"