newbie: forward rule to itself

newbie: forward rule to itself

[Mauricio Tavares]

	Let's say I have server1 with two ports, eth0 and eth0, and server2 
whose eth0 port is connected to server1's eth1. And let's say the subnet 
between them is 192.168.1.0/24 while the one server1's eth0 is connected 
to is 192.168.4.0/24.

I have the following rules to forward port 6969 coming on eth0 on 
server1 to port 6969 on server2's eth0:

iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to 
192.168.1.server2:6969
iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state 
NEW --dport 6969 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Any machine in 192.168.4.0/24 seems to be able to get to server2 by 
using 192.168.1.server1:6969. But, if I try to connect to 
192.168.1.server1:6969 on server1 itself, I will not be forwarded to 
server2. What am I missing here?

Re: newbie: forward rule to itself

[Jan Engelhardt]

On Wednesday 2010-10-27 21:02, Mauricio Tavares wrote:

> 	Let's say I have server1 with two ports, eth0 and eth0, and server2
> whose eth0 port is connected to server1's eth1. And let's say the subnet
> between them is 192.168.1.0/24 while the one server1's eth0 is connected to is
> 192.168.4.0/24.
>
> I have the following rules to forward port 6969 coming on eth0 on server1 to
> port 6969 on server2's eth0:
>
> iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to
> 192.168.1.server2:6969
> iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state NEW
> --dport 6969 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> Any machine in 192.168.4.0/24 seems to be able to get to server2 by using
> 192.168.1.server1:6969. But, if I try to connect to 192.168.1.server1:6969 on
> server1 itself, I will not be forwarded to server2. What am I missing here?

That prerouting only applies to packets coming from devices connected to
the machine.

Re: newbie: forward rule to itself

[Mauricio Tavares]

On 10/27/2010 03:17 PM, Jan Engelhardt wrote:
> On Wednesday 2010-10-27 21:02, Mauricio Tavares wrote:
>
>> 	Let's say I have server1 with two ports, eth0 and eth0, and server2
>> whose eth0 port is connected to server1's eth1. And let's say the subnet
>> between them is 192.168.1.0/24 while the one server1's eth0 is connected to is
>> 192.168.4.0/24.
>>
>> I have the following rules to forward port 6969 coming on eth0 on server1 to
>> port 6969 on server2's eth0:
>>
>> iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to
>> 192.168.1.server2:6969
>> iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state NEW
>> --dport 6969 -j ACCEPT
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>> Any machine in 192.168.4.0/24 seems to be able to get to server2 by using
>> 192.168.1.server1:6969. But, if I try to connect to 192.168.1.server1:6969 on
>> server1 itself, I will not be forwarded to server2. What am I missing here?
>
> That prerouting only applies to packets coming from devices connected to
> the machine.

	How would the prerouting that applies to packets coming from the 
machine itself look like?

Re: newbie: forward rule to itself

[Jan Engelhardt]

On Wednesday 2010-10-27 21:47, Mauricio Tavares wrote:
>>>
>>> I have the following rules to forward port 6969 coming on eth0 on server1 to
>>> port 6969 on server2's eth0:
>>>
>>> iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to
>>> 192.168.1.server2:6969
>>> iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state NEW
>>> --dport 6969 -j ACCEPT
>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>> That prerouting only applies to packets coming from devices connected to
>> the machine.
>
> 	How would the prerouting that applies to packets coming from the
>machine itself look like?

Mean to say it without "that". The entire PREROUTING chain won't be considered
for nat.
Usually, you just directly connect to the proper address preferably
ith a DNS name if available. Alternate and rather redundant 
communication ways are rinetd.

Re: newbie: forward rule to itself

[Mauricio Tavares]

On 10/27/2010 04:00 PM, Jan Engelhardt wrote:
>
> On Wednesday 2010-10-27 21:47, Mauricio Tavares wrote:
>>>>
>>>> I have the following rules to forward port 6969 coming on eth0 on server1 to
>>>> port 6969 on server2's eth0:
>>>>
>>>> iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to
>>>> 192.168.1.server2:6969
>>>> iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state NEW
>>>> --dport 6969 -j ACCEPT
>>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>
>>> That prerouting only applies to packets coming from devices connected to
>>> the machine.
>>
>> 	How would the prerouting that applies to packets coming from the
>> machine itself look like?
>
> Mean to say it without "that". The entire PREROUTING chain won't be considered
> for nat.
> Usually, you just directly connect to the proper address preferably
> ith a DNS name if available. Alternate and rather redundant
> communication ways are rinetd.
>
	I am rather confused. Do you mean the prerouting chain is not 
considered for nat at all or just not for this specific case I had in mind?

Incidentally, I am not in love with those rules I created at all. All I 
want to do is to have any traffic to 192.168.4.server1:6969 will be sent 
to 192.168.1.server2:6969 no matter where it was originated from (be it 
somewhere in 192.168.1.0, 192.168.4.0, or even from withing server1). So 
far I cannot figure out a good way to accomplish that.

Re: newbie: forward rule to itself

[Pascal Hambourg]

Hello,

Mauricio Tavares a écrit :
> 	Let's say I have server1 with two ports, eth0 and eth0, and server2 

Did you mean "eth0 and eth1" ?

> whose eth0 port is connected to server1's eth1. And let's say the subnet 
> between them is 192.168.1.0/24 while the one server1's eth0 is connected 
> to is 192.168.4.0/24.
> 
> I have the following rules to forward port 6969 coming on eth0 on 
> server1 to port 6969 on server2's eth0:
> 
> iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to 
> 192.168.1.server2:6969
> iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state 
> NEW --dport 6969 -j ACCEPT

This rule in INPUT is pointless because
1) packets have already been DNATed by the previous rule in PREROUTING,
2) the new destination is a remote address, so packets go through
FORWARD, not INPUT.

> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> Any machine in 192.168.4.0/24 seems to be able to get to server2 by 
> using 192.168.1.server1:6969. But, if I try to connect to 
> 192.168.1.server1:6969 on server1 itself, I will not be forwarded to 
> server2. What am I missing here?

As Jan explained, the PREROUTING chain of the 'nat' table sees only
incoming packets received from outside. DNAT for locally generated
packets must be done in the OUTPUT chain.

PS : If you want the connection to work from server2 too, you must add a
 specific MASQUERADE/SNAT for it too in POSTROUTING.