* trying to get DNAT and SNAT working together.
@ 2005-04-15 18:29 Christian Hedegaard
2005-04-15 18:48 ` Bikrant Neupane
0 siblings, 1 reply; 3+ messages in thread
From: Christian Hedegaard @ 2005-04-15 18:29 UTC (permalink / raw)
To: netfilter
Hey everyone. I'm trying to achieve something relatively simple (I think).
I want a machine to sit on a public IP. when a request comes in for that
public IP, it redirects the packets to another machine on some public
IP. (iptables DNAT)
when that machine gets the packet, it should think that it came from the
iptables DNAT machine, and send it back there. which is where iptables
SNAT comes in.
however. I can't seem to get the two working together.
in my office I have three machines.
1.87 (running apache)
1.72 (me)
1.85 (iptables)
I have these two rules:
iptables -t nat -A PREROUTING -p tcp -d 1.85 --dport 80 -j DNAT \
--to-destination 1.87
iptables -t nat -A POSTROUTING -p tcp -d 1.87 --dport 80 -j SNAT \
--to-source 1.85
theoretically, this says that packets destined for 80 coming to the
iptables machine should get forwarded to the apache machine (1.87), and
any packets destined for the apache machine should be SNAT'ed back to
the firewall machine.
basically, I just want a totally transparent packet forwarder that will
redirect traffic to the proper machine.
however, it's not working. something in my config is wrong and I can't
figure it out.
--
Christian Hedegaard-Schou
Sr. Systems Administrator
TrustCommerce
2 Park Plaza, Suite 350
Irvine, CA 92614
(949) 387 - 3747
christian.hedegaard@trustcommerce.com
http://www.trustcommerce.com/
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: trying to get DNAT and SNAT working together.
2005-04-15 18:29 trying to get DNAT and SNAT working together Christian Hedegaard
@ 2005-04-15 18:48 ` Bikrant Neupane
2005-04-15 19:22 ` Christian Hedegaard
0 siblings, 1 reply; 3+ messages in thread
From: Bikrant Neupane @ 2005-04-15 18:48 UTC (permalink / raw)
To: Christian Hedegaard, netfilter
Have you turned on ip forwarding ? and make sure it is not dropped in the
forward chain. just in case if you missed it :D
If it supports, you can try tcpdump on the destination machine
regards,
Bikrant
----- Original Message -----
From: "Christian Hedegaard" <christian.hedegaard@trustcommerce.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, April 16, 2005 12:14 AM
Subject: trying to get DNAT and SNAT working together.
>
> Hey everyone. I'm trying to achieve something relatively simple (I think).
>
> I want a machine to sit on a public IP. when a request comes in for that
> public IP, it redirects the packets to another machine on some public
> IP. (iptables DNAT)
>
> when that machine gets the packet, it should think that it came from the
> iptables DNAT machine, and send it back there. which is where iptables
> SNAT comes in.
>
> however. I can't seem to get the two working together.
>
> in my office I have three machines.
>
> 1.87 (running apache)
> 1.72 (me)
> 1.85 (iptables)
>
> I have these two rules:
> iptables -t nat -A PREROUTING -p tcp -d 1.85 --dport 80 -j DNAT \
> --to-destination 1.87
>
> iptables -t nat -A POSTROUTING -p tcp -d 1.87 --dport 80 -j SNAT \
> --to-source 1.85
>
> theoretically, this says that packets destined for 80 coming to the
> iptables machine should get forwarded to the apache machine (1.87), and
> any packets destined for the apache machine should be SNAT'ed back to
> the firewall machine.
>
> basically, I just want a totally transparent packet forwarder that will
> redirect traffic to the proper machine.
>
> however, it's not working. something in my config is wrong and I can't
> figure it out.
>
>
> --
> Christian Hedegaard-Schou
> Sr. Systems Administrator
> TrustCommerce
> 2 Park Plaza, Suite 350
> Irvine, CA 92614
> (949) 387 - 3747
> christian.hedegaard@trustcommerce.com
> http://www.trustcommerce.com/
>
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.308 / Virus Database: 266.9.11 - Release Date: 4/14/2005
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: trying to get DNAT and SNAT working together.
2005-04-15 18:48 ` Bikrant Neupane
@ 2005-04-15 19:22 ` Christian Hedegaard
0 siblings, 0 replies; 3+ messages in thread
From: Christian Hedegaard @ 2005-04-15 19:22 UTC (permalink / raw)
To: netfilter
Bikrant Neupane wrote:
> Have you turned on ip forwarding ? and make sure it is not dropped in the
> forward chain. just in case if you missed it :D
> If it supports, you can try tcpdump on the destination machine
oh my god...
I can't believe I overlooked that. yup, 'echo 1 >
/proc/sys/net/ipv4/ip_forward' fixed the problem :(
I'm going to go sit in a corner for a little while now.
--
Christian Hedegaard-Schou
Sr. Systems Administrator
TrustCommerce
2 Park Plaza, Suite 350
Irvine, CA 92614
(949) 387 - 3747
christian.hedegaard@trustcommerce.com
http://www.trustcommerce.com/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-04-15 19:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-15 18:29 trying to get DNAT and SNAT working together Christian Hedegaard
2005-04-15 18:48 ` Bikrant Neupane
2005-04-15 19:22 ` Christian Hedegaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox