I'm trying to setup an IP forward. Cannot manage to make it work.
The goal is to receive a connection on interface1 (IP on this interface is 192.168.101.3) port 4443, and send it through interface2 to IP 192.168.4.5 (dest IP) port 4443.
- I enabled "net.ipv4.ip_forward = 1" in /etc/sysctl.conf
- setted DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw
- added that to /etc/ufw/before.rules (from various tutorials):
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 192.168.4.5:4443
-A POSTROUTING -o interface2 -j MASQUERADE
COMMIT
I still cannot connect with "nc 192.168.101.3 4443"
- Do you see anything wrong?
- How does ufw knows what interface to forward to if -o cannot be specified in DNAT? Won't it try to forward to 192.168.4.5:4443 on interface1?
edit:
192.168.101.1(computer 1) -> (192.168.101.3, 192.168.4.1)(computer 2) -> 192.168.4.5(computer 3)
The best I can get right now is this in the log
[ 1177.553749] [UFW AUDIT] IN= OUT=enp6s0 SRC=192.168.101.3 DST=192.168.101.1 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=62781 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.101.1 DST=192.168.4.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13975 DF PROTO=TCP SPT=60720 DPT=4445 WINDOW=64240 RES=0x00 SYN URGP=0 ]
So if I understand correctly, the port 4443 on 192.168.4.5 is unreachable so 192.168.101.3 sends back an ICMP error packet back to 192.168.101.1 (the machine I'm connecting from with nc).
Which is weird because if I try to connect with nc directly from 192.168.101.3 it works fine...
