From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: Help on port forwarding + Origin and Destination IP rewriting...
Date: Thu, 10 Nov 2005 15:51:24 +0100 [thread overview]
Message-ID: <43735E6C.90803@mnemon.de> (raw)
In-Reply-To: <20051110141458.87269.qmail@web60024.mail.yahoo.com>
luisccmail-netfilter@yahoo.com.br schrieb:
> Dear Netfilter list people
>
> I'm trying to build some netfilter rules so my linux box can forward a telnet connection made on
> a machine on my network (lets say "Box-A") to another machine in my network (lets say "Box-B").
>
> Box-A is just another server in the network, but Box-B is special: its a firewalled access
> gateway to a client's network, and it is setted up in a way that only telnet connections from
> Box-A are accepted (that's my client's security policy, and I don't have any chances on change
> this).
>
> On the other hand, many folks from my company need access to that client network, and I don't
> want everybuddy needing access to Box-B to connect on Box-A (thats local security policy).
>
> So I tried to use two simple rules that could allow me to forward the connections:
>
> ###################################
> # /etc/hosts file
> # This aliases are in /etc/hosts format, to easy comprehension
> box-a.local 192.168.0.6
> box-b.local 192.168.0.34
> # EOF #############################
>
> ###################################
> # Redirection script file
> # This should re-write incomming connections before routing
> # after routing process, they should go to the right host.
> iptables -t nat -A PREROUTING -p tcp \
> -d box-a.local --destination-port 2200 \
> --jump DNAT --to-destination box-b.local:2222
>
> # This should re-write outgoing connections after routing,
> # so they appear to originate from the Box-A host.
> iptables -t nat -A POSTROUTING -p tcp \
> -d box-b.local --destination-port 2222 \
> --jump SNAT --to-source box-a.local
> # EOF #############################
>
> Oh, well, now begin my problem: this doesn't work, and I don't have any ideas to correct the
> problem.
The information you provide is not sufficient to troubleshoot your
problem. If you could provide the output of iptables-save and some other
information that may help...
Your two rules seem to be ok. Some things you may check:
is /proc/sys/net/ipv4/ip_forward set to 1 ?
is routing setup correctly ?
is FORWARD policy DROP ? And if so, is there a rule that permits
-d box-b.local --dport 2222 ?
are there any other rules in any table / chain that may cause the
problem ?
what does tcpdump tell you about a connection attempt ?
That should give some hints.
HTH,
Joerg
prev parent reply other threads:[~2005-11-10 14:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-10 14:14 Help on port forwarding + Origin and Destination IP rewriting luisccmail-netfilter
2005-11-10 14:45 ` /dev/rob0
2005-11-10 14:51 ` Jörg Harmuth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43735E6C.90803@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox