[WBEL-users] OT iptables DNAT forwarding

Daniel T. Gynn dan.gynn@essensys.com
Thu, 26 Feb 2004 18:03:10 -0500 

--=-P8tJiAIca7pHzCItGqvV
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

That gotcha might be the problem, can you elaborate?  The network is
setup as such:

routing machine: 192.168.1.2, gw 192.168.1.1
test route machine: 192.168.1.3, gw 192.168.1.1
dest machine: 192.168.2.2, gw 192.168.2.1

I see routing machine log files say that it is sending it from
192.168.1.3 to 192.168.2.2.  It sounds like the gotcha is that
192.168.2.2 is confused on how to send it back.  If I got straight from
test to dest it works fine, and if I go straight from routing to dest it
works, but if I got from test to routing to dest, it doesn't.  Is there
a way to work around this gotcha?

Dan


On Thu, 2004-02-26 at 17:46, Ed Groth wrote:
> Daniel T. Gynn [Thu, Feb 26, 2004 at 12:52:03PM -0500]
> > I know this is off topic, but I figured I'd give it a shot.
> >=20
> > I am going crazy trying to forward pop3 requests to another server.
> > Everywhere I see on the internet, it seems to be correct. If I access
> > from an internal address, it seems to work, but from an external one, i=
t
> > just times out. My rules are:
> >=20
> > $IPTABLES -A PREROUTING -t nat -p tcp --dport 110 -j DNAT --to $POP3
> > $IPTABLES -A FORWARD -p tcp --dport pop3 -j ACCEPT
> >=20
> >=20
> > I've even tried setting all rules to ACCEPT and it still won't work. Am
> > I forgetting something?
>=20
> Destination NAT only works when you're sure that all traffic passes
> through the machine doing it.  I don't think you're making this mistake
> but it's a common "gotcha" so I figured I'd mention it.
>=20
> The other thing is that it looks to me like your iptables rules forward *=
all*
> pop3 traffic destined to *any* host to your pop3 server _except_ when des=
tined to
> your machine.  You might want to add a destination host argument to the
> PREROUTING command, and add an $IPTABLES -A INPUT -p tcp --dport pop3 -j =
ACCEPT.=20
> I'm not sure if the latter command is necessary, but you might try it.
>=20
> Also, I havent played with iptables for a while and this might be complet=
ely
> wrong! :v)
>=20
>   Ed
>=20
> >=20
> >=20
> > --=20
> > -----------------------
> > Daniel T. Gynn
> > RHCE #806200978201621
> > Essential Systems, Inc.
> > 412-931-5403 ext. 1
> > fax: 412-931-5425
> > dan.gynn@essensys.com
> > GnuPG Key http://www.essensys.com/~dan/gpgring.asc
> > Fingerprint: 0979 73B8 847A 349E 7363  66F4 6A79 DD72 495D CD60
--=20
-----------------------
Daniel T. Gynn
RHCE #806200978201621
Essential Systems, Inc.
412-931-5403 ext. 1
fax: 412-931-5425
dan.gynn@essensys.com
GnuPG Key http://www.essensys.com/~dan/gpgring.asc
Fingerprint: 0979 73B8 847A 349E 7363  66F4 6A79 DD72 495D CD60

--=-P8tJiAIca7pHzCItGqvV
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQBAPnstanndckldzWARAoj/AKDK/Sxsb1KgYO9NKhhS1VtvAl6iyQCgnJd/
6yuXS7u+SvIdpFO6/+c3PgA=
=HxwT
-----END PGP SIGNATURE-----

--=-P8tJiAIca7pHzCItGqvV--