routing to forward a service request to another machine with iptables.

Linux Netfilter discussions
 help / color / mirror / Atom feed

* routing to forward a service request to another machine with iptables.
@ 2008-12-09  0:44 Patrik Hasibuan
  2008-12-09  4:55 ` Rob Sterenborg
  0 siblings, 1 reply; 2+ messages in thread
From: Patrik Hasibuan @ 2008-12-09  0:44 UTC (permalink / raw)
  To: netfilter

Dear my friends,

I use openSuSE11 and iptables. I am confused about iptables.

We use inbit for our internal company communication among the employees. The inbit server is located in our internal LAN (without public IP). Inbit Server has IP of 192.168.1.1 .

Some of the users those mobile needs the inbit too.

The mobile users do login to Inbit Server through our internet gateway whose public IP and the IP is 219.83.114.179 . The Inbit service port number is 10883.

This are the interfaces what 219.83.114.179 has:
======
mysussy:~ # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:19:D1:3C:A0:30
          inet addr:219.83.114.179  Bcast:219.83.114.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1350614 errors:0 dropped:0 overruns:0 frame:0
          TX packets:897580 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1783763044 (1701.1 Mb)  TX bytes:114925562 (109.6 Mb)
          Memory:30400000-30420000

eth1      Link encap:Ethernet  HWaddr 00:50:DA:C4:C7:95
          inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:975909 errors:0 dropped:0 overruns:1 frame:0
          TX packets:1348521 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:124074825 (118.3 Mb)  TX bytes:1783488699 (1700.8 Mb)
          Interrupt:21 Base address:0x800

eth2      Link encap:Ethernet  HWaddr 00:0C:42:07:1C:74
          inet addr:192.168.1.234  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:22 Base address:0x6300

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:580 (580.0 b)  TX bytes:580 (580.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.23.1  P-t-P:192.168.23.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
======

I want the incoming packet in 219.83.114.179:10883 will be forwarded to 192.168.1.1:10883.

But I don't know how to forward the PREROUTING / SNAT.

This are what I've done:
======
mysussy:~ # iptables -I FORWARD 1 -i eth0 -o eth1 -p tcp -s 0/0 -d 219.83.114.179 --dport 10883 -j ACCEPT
mysussy:~ # iptables -D FORWARD 1
mysussy:~ # iptables -D INPUT 1
mysussy:~ # iptables -I INPUT 1 -p tcp -s 0/0 -d 219.83.114.179 -i eth0 --dport 10883 -j ACCEPT
mysussy:~ # iptables -I FORWARD 1 -i eth0 -o eth1 -p tcp -s 0/0 -d 219.83.114.179 --dport 10883 -j ACCEPT
mysussy:~ # iptables -t nat -I PREROUTING 1 -i eth0 -o eth1 --dport 10883 -J SNAT --to-destination 192.168.1.1
iptables v1.4.0: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
======

Please tell me where are my mistakes.

Thank you very much in advance.


      Menambah banyak teman sangatlah mudah dan cepat. Undang teman dari Hotmail, Gmail ke Yahoo! Messenger sekarang! http://id.messenger.yahoo.com/invite/

^ permalink raw reply	[flat|nested] 2+ messages in thread

* RE: routing to forward a service request to another machine with iptables.
  2008-12-09  0:44 routing to forward a service request to another machine with iptables Patrik Hasibuan
@ 2008-12-09  4:55 ` Rob Sterenborg
  0 siblings, 0 replies; 2+ messages in thread
From: Rob Sterenborg @ 2008-12-09  4:55 UTC (permalink / raw)
  To: netfilter

> We use inbit for our internal company communication among the
> employees. The inbit server is located in our internal LAN (without
> public IP). Inbit Server has IP of 192.168.1.1 .
> 
> Some of the users those mobile needs the inbit too.
> 
> The mobile users do login to Inbit Server through our internet
> gateway whose public IP and the IP is 219.83.114.179 . The Inbit
> service port number is 10883.

[...]

> ======
> 
> I want the incoming packet in 219.83.114.179:10883 will be
> forwarded to 192.168.1.1:10883.
> 
> But I don't know how to forward the PREROUTING / SNAT.
> 
> This are what I've done:
> ======
> mysussy:~ # iptables -I FORWARD 1 -i eth0 -o eth1 -p tcp -s 0/0 -d
> 219.83.114.179 --dport 10883 -j ACCEPT
> mysussy:~ # iptables -D FORWARD 1
> mysussy:~ # iptables -D INPUT 1
> mysussy:~ # iptables -I INPUT 1 -p tcp -s 0/0 -d 219.83.114.179 -i
> eth0 --dport 10883 -j ACCEPT
> mysussy:~ # iptables -I FORWARD 1 -i eth0 -o eth1 -p tcp -s 0/0 -d
> 219.83.114.179 --dport 10883 -j ACCEPT

- If you want to forward packets, in the filter table you only use the FORWARD chain: not the INPUT or OUTPUT chain so this won't work.
- If I'm not mistaken, you can't specify "-o eth1" in the PREROUTING chain.
- Finally, if you want to specify "any" ip, you don't need to specify "0/0". You can just omit it which makes the rule more readable.

> mysussy:~ # iptables -t nat -I PREROUTING 1 -i eth0 -o eth1 --dport
> 10883 -J SNAT --to-destination 192.168.1.1
> iptables v1.4.0: Unknown arg `--dport'
> Try `iptables -h' or 'iptables --help' for more information.
> ======

The error means that iptables doesn't know what protocol you want to match, but you did specify the port. You need to specify "-p tcp" or "-p udp" here.

Try this (assuming your routing table is correct):

$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -i eth0 -o eth1 \
  -d 192.168.1.1 -p tcp --dport 10883 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth0 -d 219.83.114.179 -p tcp \
  --dport 10883 -j DNAT --to 192.168.1.1

- The first rule will accept all packets in a connection once it has been setup.
- The second rule will (only) match the first packet in the connection specified by this rule and accept it. Remember you want to forward packets to 192.168.1.1 so for the FORWARD chain, that's the destination IP.
- The third rule specifies how to NAT the packet. Here the destination IP is your public IP and you DNAT only packets to 10883/tcp to 192.168.1.1.


Grts,
Rob



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-12-09  4:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-09  0:44 routing to forward a service request to another machine with iptables Patrik Hasibuan
2008-12-09  4:55 ` Rob Sterenborg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox