How do i port forward but maintain the original IP address?

Discussion in 'Linux Networking' started by Alan Williamson, Aug 18, 2006.

  1. I have searched for this up and down Google and maybe i am just not
    using the right keywords because I am not getting anything back.

    Here is the problem.

    Machine#A Listens on Port80
    Forwards traffic to Machine#B on Port8080

    this works beautifully.

    /sbin/iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT
    \
    --to $MAL_P:8080
    /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

    HOWEVER, Machine#B see's all requests coming from Machine#A and not the
    original IP address of the requester, thus all my logs say Machine#A
    and not the originators IP address.

    Therefore the question is; how does one maintain the IP address of the
    originating request?

    I am quite sure this is a well trodden road and I am being a baffoon
    for missing the obvious.

    Thank you in advance.
     
    Alan Williamson, Aug 18, 2006
    #1
    1. Advertisements

  2. As it is supposed to be, otherwise, machine B would try to send reply
    directly to the originator, ignoring completely machine A, so the
    originator would see packets coming from a machine that he didn't know,
    and quietly discard such packets as rubbish.
    Using a Proxy.

    Davide
     
    Davide Bianchi, Aug 18, 2006
    #2
    1. Advertisements

  3. Don't masquerade packets incoming from the WAN, just the ones outgoing
    to the WAN.
     
    Allen Kistler, Aug 18, 2006
    #3
  4. not quite sure how to do that. I tried putting in the "-s LANRANGE"
    but it stopped forwarding packets at that point.

    Can you elborate a little further? thanks
     
    Alan Williamson, Aug 19, 2006
    #4
  5. Probably
    -A POSTROUTING -o <Internet interface> -j MASQUERADE
    instead of what you've got now. Tweak as you need depending on your setup.
     
    Allen Kistler, Aug 19, 2006
    #5
  6. Probably
    no, that didn't work. The machine at the back is still not seeing the
    originators IP address.
     
    Alan Williamson, Aug 20, 2006
    #6
  7. Then you've got other rules masquerading for you that take precedence.
    Did you remember to flush your existing rules before loading the new ones?
    Dump your rules with iptables-save (for yourself, not to this group) to
    see what else you've got.
     
    Allen Kistler, Aug 20, 2006
    #7
  8. Then you've got other rules masquerading for you that take precedence.
    i hate to argue with you, but there are no other rules. It forwards
    correctly, but still i get the wrong IP address, not the one from the
    originator. Here is the rules for this;

    :pOSTROUTING ACCEPT [96:5748]
    :pREROUTING ACCEPT [463023:49408272]
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
    MachineB:2525
    COMMIT

    thats it.
     
    Alan Williamson, Aug 21, 2006
    #8
  9. okay an update on the state of play. I can manage to get a connection
    through to the MachineB.

    tcp 0 0 192.168.0.101:2525 81.x.y.z:45668
    SYN_RECV

    However, its as if no packets are coming back the way from MACHINEB.

    /sbin/iptables -t nat -A PREROUTING -i $WAN -s ! $MACHINEA -p tcp
    --dport 25 -j DNAT --to $MACHINEB:2525
    /sbin/iptables -t nat -A POSTROUTING -o $WAN -s $LAN_RANGE -d $MACHINEB
    -j SNAT --to $MACHINEA
    /sbin/iptables -A FORWARD -s $LAN_RANGE -d $MACHINEB -i $LAN -o $WAN -p
    tcp --dport 2525 -j ACCEPT

    where MACHINEA is the machine that iptables is running on, and MACHINEB
    sits inside the LAN.

    Does that help any? I've stripped the iptables rules right back.
     
    Alan Williamson, Aug 21, 2006
    #9
  10. 1. I don't understand what your SNAT rule is supposed to be doing.
    If you have a fixed public address and you want to SNAT replies from
    MACHINEB, use "-i $LAN" and get rid of -s and -d (???) options. Make
    sure you use the PUBLIC address for SNAT.
    If you have a dynamic public address, use -j MASQUERADE.

    2. Does MachineB have its default route through MachineA?
    It probably should. It at least needs its route to public addresses to
    be through MachineA.

    3. There are better ways to restrict valid address ranges.
    I suggest you focus just on interfaces for now.

    4. Also include a FORWARD rule for state ESTABLISHED.

    Tighten from there once you get it to work.

    HTH
     
    Allen Kistler, Aug 21, 2006
    #10
  11. Alan Williamson

    Thufir Guest

    Thufir, Aug 24, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.