I am trying to understand iptables and want to make a simple test in my home network. I want to access some website running on an RPI, while accessing it through my ubuntu desktop.
NOTE: I am allowing EVERYTHING on my FORWARD rules on the ubuntu desktop PC (just for this test). I know that's horrible for security, but for now I don't care, I just need to understand what I need to do at a bare minimum to get packets through the ubuntu PC as middle man.
I tried to depict the routing in the next picture (at least, how I think it will/should work)
As stated, I ignored the FORWARD chain completely for now by ACCEPTing everything. The only thing I need to take care of then, is DNAT and SNAT.
So in text:
This is achieved with two simple iptables commands
# DNAT destination 192.168.1.10:8080
sudo iptables -t nat -I PREROUTING 1 -p tcp -d 192.168.1.112 --dport 1234 -j DNAT --to 192.168.1.10:8080
# SNAT source to 192.168.1.112
sudo iptables -t nat -I POSTROUTING 1 -p tcp -d 192.168.1.123 -j SNAT --to 192.168.1.112
Question 1: can somebody confirm that above is correct? If not, please explain what I am doing wrong.
Question 2: am I correct that I do no need to add FORWARD rules (Because I accept all by default already)?
The next part is even less clear to me. Now the server on [email protected] will reply. Since I SNAT-ed the packet, the reply will be send to 192.168.1.112. I THINK also on port 8080, since that's the port where we sent data to.
If that's correct, and the reply is indeed received on [email protected]:8080, I have no idea how the kernel (on [email protected]) then will magically figure out that this reply is not for him, but in fact should be transferred to the original requesting client: [email protected].
Question 3: Do I need to add rules to make the "reply" path come through? Or is this indeed magically done by kernel ?
The end result, anyway, is a connection timeout.
I would really appreciate some guidance here. Some more elaborate explanaition and hopefully really understand how this works in the end..
