unusual iptables port forwarding problem

Hi,

I've been trying to solve this problem for a long time, help would be
much appreciated.

I have three boxes [Box A, B, and C] located on three networks [Network
A, B , and C respectively]. I have administrative control over Network
A and Network B and their clients and gateways.

Box A has ip 10.50.120.125/24 gw 10.50.120.1. Box A is running Windows
XP Pro desktop/client.
Box A is a remote client connected to Box B though a hardware VPN over
DSL. and can see/ping Network B's ip range of 10.30.91.x/20, but cannot
see/ping Box C.

Box B has ip 10.30.91.125/20 gw 10.30.91.51. Box B is a router running
linux v 2.4.30. Box B is not the gateway router for this or any other
network. It's sole purpose is to get traffic originating on Box A to
Box C. The WAN port is not in use.
Network B connects to Box C via frame relay. Traffic gets from Network
B to Box C by a static route on Box B's gateway router [10.30.91.51]
that directs traffic destined to Box C's ip address, to the frame
relay's router at 10.30.91.1.

Box C has ip 10.20.70.76. Box C is a telnet server on remote network
running VMS.

I can telnet to Box C from Box B or from any machine on Box B's network
by typing "telnet 10.20.70.76".

I want to have telnet forwarded/routed to Box C [10.20.70.76:23] when I
sit at Box A cmd.exe and type "telnet 10.30.91.125" [Box B's ip].

Thank you,

Suzanne

(E-Mail Removed) wrote:
> Hi,
>
> I've been trying to solve this problem for a long time, help would be
> much appreciated.
>
> I have three boxes [Box A, B, and C] located on three networks [Network
> A, B , and C respectively]. I have administrative control over Network
> A and Network B and their clients and gateways.
>
> Box A has ip 10.50.120.125/24 gw 10.50.120.1. Box A is running Windows
> XP Pro desktop/client.
> Box A is a remote client connected to Box B though a hardware VPN over
> DSL. and can see/ping Network B's ip range of 10.30.91.x/20, but cannot
> see/ping Box C.
>
> Box B has ip 10.30.91.125/20 gw 10.30.91.51. Box B is a router running
> linux v 2.4.30. Box B is not the gateway router for this or any other
> network. It's sole purpose is to get traffic originating on Box A to
> Box C. The WAN port is not in use.
> Network B connects to Box C via frame relay. Traffic gets from Network
> B to Box C by a static route on Box B's gateway router [10.30.91.51]
> that directs traffic destined to Box C's ip address, to the frame
> relay's router at 10.30.91.1.
>
> Box C has ip 10.20.70.76. Box C is a telnet server on remote network
> running VMS.
>
> I can telnet to Box C from Box B or from any machine on Box B's network
> by typing "telnet 10.20.70.76".
>
> I want to have telnet forwarded/routed to Box C [10.20.70.76:23] when I
> sit at Box A cmd.exe and type "telnet 10.30.91.125" [Box B's ip].
>
> Thank you,
>
> Suzanne


Here are something I've tried variations of:

This successfully forwards print jobs [port 9100]:
iptables -t nat -A PREROUTING -p tcp -d 10.30.91.125 --dport 9100 -j
DNAT --to 10.30.91.201:9100

But this does not forward my telnet sessions:
iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 10.30.91.125 --dport 23 -j
DNAT --to 10.20.70.76:23

Neither does this:
iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 10.30.91.125 --dport 23 -j
DNAT --to 10.20.70.76:23
iptables -t nat -A POSTROUTING -p tcp -d 10.20.70.76 --dport 23 -j SNAT
--to 10.30.91.125


Suzanne

(E-Mail Removed) wrote:
> (E-Mail Removed) wrote:
> > Hi,
> >
> > I've been trying to solve this problem for a long time, help would be
> > much appreciated.
> >
> > I have three boxes [Box A, B, and C] located on three networks [Network
> > A, B , and C respectively]. I have administrative control over Network
> > A and Network B and their clients and gateways.
> >
> > Box A has ip 10.50.120.125/24 gw 10.50.120.1. Box A is running Windows
> > XP Pro desktop/client.
> > Box A is a remote client connected to Box B though a hardware VPN over
> > DSL. and can see/ping Network B's ip range of 10.30.91.x/20, but cannot
> > see/ping Box C.
> >
> > Box B has ip 10.30.91.125/20 gw 10.30.91.51. Box B is a router running
> > linux v 2.4.30. Box B is not the gateway router for this or any other
> > network. It's sole purpose is to get traffic originating on Box A to
> > Box C. The WAN port is not in use.
> > Network B connects to Box C via frame relay. Traffic gets from Network
> > B to Box C by a static route on Box B's gateway router [10.30.91.51]
> > that directs traffic destined to Box C's ip address, to the frame
> > relay's router at 10.30.91.1.
> >
> > Box C has ip 10.20.70.76. Box C is a telnet server on remote network
> > running VMS.
> >
> > I can telnet to Box C from Box B or from any machine on Box B's network
> > by typing "telnet 10.20.70.76".
> >
> > I want to have telnet forwarded/routed to Box C [10.20.70.76:23] when I
> > sit at Box A cmd.exe and type "telnet 10.30.91.125" [Box B's ip].
> >
> > Thank you,
> >
> > Suzanne
>
>
> Here are something I've tried variations of:
>
> This successfully forwards print jobs [port 9100]:
> iptables -t nat -A PREROUTING -p tcp -d 10.30.91.125 --dport 9100 -j
> DNAT --to 10.30.91.201:9100
>
> But this does not forward my telnet sessions:
> iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -d 10.30.91.125 --dport 23 -j
> DNAT --to 10.20.70.76:23
>
> Neither does this:
> iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -d 10.30.91.125 --dport 23 -j
> DNAT --to 10.20.70.76:23
> iptables -t nat -A POSTROUTING -p tcp -d 10.20.70.76 --dport 23 -j SNAT
> --to 10.30.91.125
>
>
> Suzanne

I tried forwarding 9100 through the VPN, and it failed, so I suspect
iptables will not move traffic in this fashion. I will have to
continue using ssh w/ local port forwarding to get this task done.

Suzanne