Join Log in
Score:0
avatar Server

iptables, which rules do I need for a full round trip of DNATed request + reply

ru flag
bas

I am trying to understand iptables and want to make a simple test in my home network. I want to access some website running on an RPI, while accessing it through my ubuntu desktop.

NOTE: I am allowing EVERYTHING on my FORWARD rules on the ubuntu desktop PC (just for this test). I know that's horrible for security, but for now I don't care, I just need to understand what I need to do at a bare minimum to get packets through the ubuntu PC as middle man.

I tried to depict the routing in the next picture (at least, how I think it will/should work)

enter image description here

As stated, I ignored the FORWARD chain completely for now by ACCEPTing everything. The only thing I need to take care of then, is DNAT and SNAT.

So in text:

  • PC@192.168.1.123 I open a browser and type in http://192.168.1.112:1234
  • Ubuntu@192.168.1.112 uses PREROUTING table to DNAT to correct IP + port
  • Ubuntu@192.168.1.112 uses POSTROUTING table to SNAT correct source IP (192.168.1.112)
  • RPI@192.168.1.10 will receive connection request on 192.168.1.12:8080

This is achieved with two simple iptables commands

# DNAT destination 192.168.1.10:8080
sudo iptables -t nat -I PREROUTING 1 -p tcp -d 192.168.1.112 --dport 1234 -j DNAT --to 192.168.1.10:8080
# SNAT source to 192.168.1.112
sudo iptables -t nat -I POSTROUTING 1 -p tcp -d 192.168.1.123 -j SNAT --to 192.168.1.112

Question 1: can somebody confirm that above is correct? If not, please explain what I am doing wrong.

Question 2: am I correct that I do no need to add FORWARD rules (Because I accept all by default already)?

The next part is even less clear to me. Now the server on RPI@192.168.1.10 will reply. Since I SNAT-ed the packet, the reply will be send to 192.168.1.112. I THINK also on port 8080, since that's the port where we sent data to.

If that's correct, and the reply is indeed received on ubuntu@192.168.1.112:8080, I have no idea how the kernel (on ubuntu@192.168.1.112) then will magically figure out that this reply is not for him, but in fact should be transferred to the original requesting client: PC@192.168.1.123.

Question 3: Do I need to add rules to make the "reply" path come through? Or is this indeed magically done by kernel ?

The end result, anyway, is a connection timeout.

I would really appreciate some guidance here. Some more elaborate explanaition and hopefully really understand how this works in the end..

10
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.