Join Log in
Score:0
Dmitry Filin avatar Server

Packets go out one LAN machine but do not reach another one

dm flag
Dmitry Filin

I have a pretty simple topology.
Machine 1:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:0d:2c:a2 brd ff:ff:ff:ff:ff:ff
    inet 193.124.117.195/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe0d:2ca2/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:0d:2c:a5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe0d:2ca5/64 scope link 
       valid_lft forever preferred_lft forever
ip r
default via 193.124.117.1 dev eth0 
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2 
193.124.117.0/24 dev eth0 proto kernel scope link src 193.124.117.195

Machine 2:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:0d:2c:a3 brd ff:ff:ff:ff:ff:ff
    inet 176.113.82.77/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe0d:2ca3/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:0d:2c:a4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.3/24 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe0d:2ca4/64 scope link 
       valid_lft forever preferred_lft forever
ip r
default via 176.113.82.1 dev eth0 
176.113.82.0/24 dev eth0 proto kernel scope link src 176.113.82.77 
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.3

Ping 192.168.0.3 -> 192.168.0.2:

ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.63 ms

--- 192.168.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.629/1.629/1.629/0.000 ms

Ping 192.168.0.2 -> 192.168.0.3:

ping -c 1 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
64 bytes from 192.168.0.3: icmp_seq=1 ttl=64 time=2.70 ms

--- 192.168.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.702/2.702/2.702/0.000 ms

Next. I have Nginx on the 192.168.0.3 machine, but it does not really matter. I want to implement port forwarding from 192.168.0.2:8888 to 192.168.0.3:80. I check connection:

wget 192.168.0.3:80
--2023-06-14 19:02:52--  http://192.168.0.3/
Connecting to 192.168.0.3:80... connected.
HTTP request sent, awaiting response... 200 OK

Then I add a rule on 192.168.0.2 machine

iptables -t nat -A PREROUTING -p tcp --dport 8888 -DNAT --to 192.168.0.3:80

And turn forwarding on:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then I try to open 193.124.117.195:8888 from the third machine and see that packets go out the first one (192.168.0.2):

tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:18:33.480948 IP 84.252.147.253.6016 > 192.168.0.3.http: Flags [S], seq 2692986583, win 12500, options [mss 1250,nop,wscale 2,sackOK,TS val 3132330242 ecr 0], length 0
19:18:36.480279 IP 84.252.147.253.6016 > 192.168.0.3.http: Flags [S], seq 2692986583, win 12500, options [mss 1250,nop,wscale 2,sackOK,TS val 3132333242 ecr 0], length 0

And also I add another rule to see that packets go in the right direction:

iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.0.3 -j ACCEPT
iptables -t nat -nvL POSTROUTING 
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.3          tcp dpt:80

So, as I unsderstand packets go through the eth1 to local network and should reach Machine 2. But nothing happens here. I try to listen 192.168.0.3 eth1 and see only arp packets. Also iptables shows no packets. Where have I done a mistake ? 192.168.0.3:

tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:29:13.020569 ARP, Request who-has 192.168.0.3 tell 192.168.0.2, length 28
19:29:13.020600 ARP, Reply 192.168.0.3 is-at 00:15:5d:0d:2c:a4 (oui Unknown), length 28
25
1 + 0
nat
Score:0
Dmitry Filin avatar Server
dm flag
Dmitry Filin

I found an answer: Just added MASQUERADE to mask source ip of LAN packet:

iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.3 --dport 80 -j MASQUERADE
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.