Join Log in
Score:0
YNX avatar Server

Iptables DNAT with multiple interface

cn flag
YNX

I have 2 Machines:

MachineDev
ens5: 10.41.12.63 (the default net device)
ens8: 10.41.10.111

 MachineProxy
ens5: 10.40.9.106 (the default net device)
ens6: 10.40.2.114

And I want use MachineProxy as proxy to establish a tcp between MachineDev and some ip like 3.117.113.6:443(just a example).

Here is what I set the iptables on MachineProxy

sudo iptables -I PREROUTING -t nat -p tcp --dport 8250 -j DNAT --to 3.117.113.6:443
sudo iptables -I POSTROUTING -t nat -p tcp -d 3.117.113.6 --dport 443 -j MASQUERADE
sudo iptables -I FORWARD -t filter -j ACCEPT

(these rules are at the top of the chain, so they will be match first)

The problem: I can use the DNAT proxy with MachinDev ens5 and MachineProxy ens5 8250, everything works fine. But I can't establish a simple tcp connection with MachinDev ens8 and MachineProxy ens6 8250. Why and How?

MachinDev ens5 and MachineProxy ens5 are in an AWS-subnet, MachinDev ens8 and MachineProxy ens6 are in another AWS-subnet.

Here is some logs I tried to solve it, Firstly I add a rule:

iptables -A PREROUTING -t raw -i ens6 -p tcp -m tcp -s 10.41.10.111/20  -j TRACE

and then that's all the log in sys:

Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945947] TRACE: raw:PREROUTING:policy:3 IN=ens6 OUT= MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=10.40.2.114 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57725 DF PROTO=TCP SPT=37888 DPT=8250 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945975] TRACE: nat:PREROUTING:rule:2 IN=ens6 OUT= MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=10.40.2.114 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57725 DF PROTO=TCP SPT=37888 DPT=8250 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945984] TRACE: filter:FORWARD:policy:1 IN=ens6 OUT=ens5 MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=3.117.113.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57725 DF PROTO=TCP SPT=37888 DPT=443 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945991] TRACE: nat:POSTROUTING:rule:2 IN=ens6 OUT=ens5 MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=3.117.113.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57725 DF PROTO=TCP SPT=37888 DPT=443 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:07 ip-10-40-9-106 kernel: [ 4751.975233] TRACE: raw:PREROUTING:policy:3 IN=ens6 OUT= MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=10.40.2.114 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57726 DF PROTO=TCP SPT=37888 DPT=8250 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A39522C2A0000000001030307)
Aug  2 12:03:07 ip-10-40-9-106 kernel: [ 4751.975253] TRACE: filter:FORWARD:policy:1 IN=ens6 OUT=ens5 MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=3.117.113.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57726 DF PROTO=TCP SPT=37888 DPT=443 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A39522C2A0000000001030307)
30
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.