Re: PREROUTING to a non local subnet

[Vigneswaran R <vignesh@atc.tcs.com>]

[seems the mailing list IP is missed. adding it]

On 09/16/2013 06:03 PM, Manu wrote:
> For me the traffic is being dropped in the right place as when I do a 
> netstat on the 192.168.2.100 I see that there is an open connection 
> with 180.180.180.180 (<-- my server running iptable).
> But the IP of the computer i'm running my test from is 200.200.200.200
> There is the strange point as when I use the same rules for forwarding 
> a port to a computer on the same subnet than the server i see a 
> connection from 200.200.200.200 and not 180.180.180.180
> It seem that iptables rewrite the from ip adresse when it does port 
> forwarding to a computer which is not on the same subnet.

I think, some SNAT rule is doing that (may be as a side effect of your 
VPN configuration?).

> I hope 'im clear enough. Tell me if it is not the case.

Regards,
Vignesh

> Le 16/09/2013 11:23, Vigneswaran R a écrit :
>> On 09/09/2013 08:04 PM, Manu wrote:
>>> Hello
>>>
>>> I'm running iptable v1.4.7 on a linux with two NIC.
>>> One has adress 192.168.1.31 (the lan)
>>> The other has a public IP. Let's say 180.180.180.180
>>>
>>> On the lan, I have a VPN which join two network : 192.168.1.0 and 
>>> 192.168.2.0
>>>
>>> I'm trying to forward 5900 port (vnc) to a computer which is on the 
>>> second subnet with adress 192.168.2.100
>>> iptables -A PREROUTING -t nat -p tcp  -i eth1 --dport 5900 -j DNAT 
>>> --to-destination 192.168.2.100:5900
>>> iptables -A FORWARD -p tcp -d 192.168.2.100--dport 5900 -j ACCEPT
>>> and it doesn't work
>>
>> Does this machine have route to 192.168.2.0 network? Try to use 
>> tcpdump and see where the traffic is being dropped.
>>
>> Regards,
>> Vignesh
>>
>>>
>>> I've tried the same on the local network with adress 192.168.1.99
>>> iptables -A PREROUTING -t nat -p tcp  -i eth1 --dport 5900 -j DNAT 
>>> --to-destination 192.168.1.99:5900
>>> iptables -A FORWARD -p tcp -d 192.168.1.99--dport 5900 -j ACCEPT
>>> and it's working like a charm
>>>
>>> I've done my test with another computer with public adress 
>>> 200.200.200.200
>>>
>>> I've done a netstat one the two computers
>>> on 192.168.2.100 i've seen he's talking to 180.180.180.180 (<-- my 
>>> server running iptable)
>>> on 192.168.1.99 i've seen he's talking to 200.200.200.200 (<-- the 
>>> computer on internet which i'm running my test from)
>>>
>>> thanks for your attention
>>> -- 
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>
>>
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>