From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: Sven-Haegar Koch <haegar@sdinet.de>
Cc: Alex Barylo <abarylo@gmail.com>, netfilter@vger.kernel.org
Subject: Re: Rewriting target IP and port on Linux with iptables or firewall-cmd
Date: Sun, 06 Mar 2016 21:52:35 +0100 [thread overview]
Message-ID: <56DC9893.1000108@plouf.fr.eu.org> (raw)
In-Reply-To: <alpine.DEB.2.20.1603050130390.24095@aurora.sdinet.de>
> On Fri, 4 Mar 2016, Alex Barylo wrote:
>
>> I have a server in a DC1 with a private IP, of say 10.10.10.10. This
>> IP is NAT'd to a public IP, say 216.58.219.10 in this way:
>>
>> 216.58.219.10:8090 -> 10.10.10.10:8089
>>
>> I have a server in DC2 which knows about (and wants to connect to)
>> 10.10.10.10:8089 but doesn't know about 216.58.219.10:8090 (long
>> story).
>>
>> So I want to rewrite dest IP/port from 10.10.10.10:8089 to 216.58.219.10:8090.
>>
>> This is what I tried:
>>
>> # sysctl net.ipv4.ip_forward=1
>> # iptables -t nat -A PREROUTING -p tcp --dest 10.10.10.10 --dport 8089
>> -j DNAT --to 216.58.219.10:8090
And what happened ?
On which machine did you run these commands ?
If it is on a machine acting as a gateway between the server in DC2 and
the server in DC1, then you are correct. If it is on the server in DC2,
then the sysctl is useless and the iptables rule should be added to the
OUTPUT chain (for locally-generated traffic) instead of PREROUTING (for
incoming traffic).
Sven-Haegar Koch a écrit :
> Try adding the same rule also to the nat OUTPUT chain.
Why "also" ? Rather "instead". Both rules on the same machine are useless.
next prev parent reply other threads:[~2016-03-06 20:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-04 19:45 Rewriting target IP and port on Linux with iptables or firewall-cmd Alex Barylo
2016-03-04 23:06 ` Harout Hedeshian
2016-03-05 0:32 ` Sven-Haegar Koch
2016-03-06 20:52 ` Pascal Hambourg [this message]
2016-03-08 0:25 ` Alex Barylo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DC9893.1000108@plouf.fr.eu.org \
--to=pascal@plouf.fr.eu.org \
--cc=abarylo@gmail.com \
--cc=haegar@sdinet.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.