Join Log in
Score:0
AlexD avatar Server

iptables PREROUTING DNAT

bj flag
AlexD
  • Server 1: 192.168.0.1
  • Server 2: 192.168.0.2
  • Server 3: 192.168.0.3

Server 2 has access to server 3 on port 1521 The task is to make port forwarding from Server1 -> Server2:5501 -> Server3:1521

On Server2 I perform the settings:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 5501 \
         -j DNAT --to-destination 192.168.0.3:1521

or this option:

iptables -t nat -A PREROUTING --dst 192.168.0.2 -p tcp --dport 5501 \
         -j DNAT --to-destination 192.168.0.3:1521

I check from Server1 access to Server2:5501 with telnet 192.168.0.2 5501, but it does not work. Maybe tips for how to diagnose this? or my commands not correct?

37
0 + 6
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
This is all IPs you have? All three systems in one shared subnet? The reply must be sent back *directly to original*, without reverse translation; there it is not being recognized as a reply and is being dropped. You can confirm this by capturing traffic with `tcpdump`. That said, why you need all of that? Probably there is much more elegant solution to your *original* problem which doesn't include dirty hacks like NAT and the like? For that, we'd like to know what was the original problem.
0
Reply
AlexD avatar
bj flag
AlexD
Sorry, but I hide real IP of servers. Real IP's with other subnets. I'll try tcpdump thanks for tip. Server1 do not access to Server3 only Server2 has access to Server3.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
There is no point of hiding private IPs, so if these were 10.x.x.x or 192.168.x.x or 172... you know, don't hide them at all and present as is, for your own sake. There is no security leak (if your security were to depend on that, you have really big problems, my friend). If there were public IPs, there is a point of hiding, but in that case you need to be sure we see the correlations between them; if these are in different subnets, replace them with fake IPs that are in different subnets, too (and, don't invent fake IPs, use [RFC5735](https://www.rfc-editor.org/rfc/rfc5735) TEST-NET-n ones).
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Well, that said, I really need that interrelation information to understand what's going on and to suggest a solution. And, again, I also asked for the **original problem** because your question looks very much like [the XY problem](https://xyproblem.info/) to me. What problem you are trying to solve with NAT? Why NAT? If all servers have public IPs, I swear, NAT could be not the best solution out there. Why won't you permit a direct access (which would be the best so far)?
0
Reply
AlexD avatar
bj flag
AlexD
Thanks for help. tcpdump and conntrack very helpfull tools. Problem solved.
0
Reply
AlexD avatar
bj flag
AlexD
iptables -t nat -A PREROUTING -d $SRCIP -p tcp -m tcp --dport $SRCPRT -j DNAT --to-destination $DESTIP:$DSTPRT iptables -t nat -A POSTROUTING -d $DESTIP -p tcp -m tcp --dport $DSTPRT -j SNAT --to-source $SRCIP
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.