trying to get DNAT and SNAT working together.

All of lore.kernel.org
 help / color / mirror / Atom feed

* trying to get DNAT and SNAT working together.
@ 2005-04-15 18:29 Christian Hedegaard
  2005-04-15 18:48 ` Bikrant Neupane
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Hedegaard @ 2005-04-15 18:29 UTC (permalink / raw)
  To: netfilter

Hey everyone. I'm trying to achieve something relatively simple (I think).

I want a machine to sit on a public IP. when a request comes in for that 
public IP, it redirects the packets to another machine on some public 
IP. (iptables DNAT)

when that machine gets the packet, it should think that it came from the 
iptables DNAT machine, and send it back there. which is where iptables 
SNAT comes in.

however. I can't seem to get the two working together.

in my office I have three machines.

1.87 (running apache)
1.72 (me)
1.85 (iptables)

I have these two rules:
iptables -t nat -A PREROUTING -p tcp -d 1.85 --dport 80 -j DNAT \
     --to-destination 1.87

iptables -t nat -A POSTROUTING -p tcp -d 1.87 --dport 80 -j SNAT \
     --to-source 1.85

theoretically, this says that packets destined for 80 coming to the 
iptables machine should get forwarded to the apache machine (1.87), and 
any packets destined for the apache machine should be SNAT'ed back to 
the firewall machine.

basically, I just want a totally transparent packet forwarder that will 
redirect traffic to the proper machine.

however, it's not working. something in my config is wrong and I can't 
figure it out.

-- 
Christian Hedegaard-Schou
Sr. Systems Administrator
TrustCommerce
2 Park Plaza, Suite 350
Irvine, CA 92614
(949) 387 - 3747
christian.hedegaard@trustcommerce.com
http://www.trustcommerce.com/

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: trying to get DNAT and SNAT working together.
  2005-04-15 18:29 trying to get DNAT and SNAT working together Christian Hedegaard
@ 2005-04-15 18:48 ` Bikrant Neupane
  2005-04-15 19:22   ` Christian Hedegaard
  0 siblings, 1 reply; 3+ messages in thread
From: Bikrant Neupane @ 2005-04-15 18:48 UTC (permalink / raw)
  To: Christian Hedegaard, netfilter

Have you turned on ip forwarding  ? and make sure it is not dropped in the
forward chain. just in case if you missed it :D
If it supports, you can try tcpdump on the destination machine

regards,
Bikrant


----- Original Message -----
From: "Christian Hedegaard" <christian.hedegaard@trustcommerce.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, April 16, 2005 12:14 AM
Subject: trying to get DNAT and SNAT working together.


>
> Hey everyone. I'm trying to achieve something relatively simple (I think).
>
> I want a machine to sit on a public IP. when a request comes in for that
> public IP, it redirects the packets to another machine on some public
> IP. (iptables DNAT)
>
> when that machine gets the packet, it should think that it came from the
> iptables DNAT machine, and send it back there. which is where iptables
> SNAT comes in.
>
> however. I can't seem to get the two working together.
>
> in my office I have three machines.
>
> 1.87 (running apache)
> 1.72 (me)
> 1.85 (iptables)
>
> I have these two rules:
> iptables -t nat -A PREROUTING -p tcp -d 1.85 --dport 80 -j DNAT \
>      --to-destination 1.87
>
> iptables -t nat -A POSTROUTING -p tcp -d 1.87 --dport 80 -j SNAT \
>      --to-source 1.85
>
> theoretically, this says that packets destined for 80 coming to the
> iptables machine should get forwarded to the apache machine (1.87), and
> any packets destined for the apache machine should be SNAT'ed back to
> the firewall machine.
>
> basically, I just want a totally transparent packet forwarder that will
> redirect traffic to the proper machine.
>
> however, it's not working. something in my config is wrong and I can't
> figure it out.
>
>
> --
> Christian Hedegaard-Schou
> Sr. Systems Administrator
> TrustCommerce
> 2 Park Plaza, Suite 350
> Irvine, CA 92614
> (949) 387 - 3747
> christian.hedegaard@trustcommerce.com
> http://www.trustcommerce.com/
>
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.308 / Virus Database: 266.9.11 - Release Date: 4/14/2005
>
>



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: trying to get DNAT and SNAT working together.
  2005-04-15 18:48 ` Bikrant Neupane
@ 2005-04-15 19:22   ` Christian Hedegaard
  0 siblings, 0 replies; 3+ messages in thread
From: Christian Hedegaard @ 2005-04-15 19:22 UTC (permalink / raw)
  To: netfilter

Bikrant Neupane wrote:
> Have you turned on ip forwarding  ? and make sure it is not dropped in the
> forward chain. just in case if you missed it :D
> If it supports, you can try tcpdump on the destination machine

oh my god...

I can't believe I overlooked that. yup, 'echo 1 > 
/proc/sys/net/ipv4/ip_forward' fixed the problem :(

I'm going to go sit in a corner for a little while now.

-- 
Christian Hedegaard-Schou
Sr. Systems Administrator
TrustCommerce
2 Park Plaza, Suite 350
Irvine, CA 92614
(949) 387 - 3747
christian.hedegaard@trustcommerce.com
http://www.trustcommerce.com/


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-04-15 19:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-15 18:29 trying to get DNAT and SNAT working together Christian Hedegaard
2005-04-15 18:48 ` Bikrant Neupane
2005-04-15 19:22   ` Christian Hedegaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.