[WBEL-users] OT iptables DNAT forwarding

farking@spunge.org farking@spunge.org
Thu, 26 Feb 2004 20:06:42 -0600 (CST) 

Try this

$IPTABLES -A FORWARD -p TCP -d 192.168.2.2 --dport 110 -j Allowed
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p TCP -d 192.168.1.2--dport 110 -j DNAT
--to-destination 192.168.2.2

-- 
3% body phat 1% brain activity

> That gotcha might be the problem, can you elaborate?  The network is
> setup as such:
>
> routing machine: 192.168.1.2, gw 192.168.1.1
> test route machine: 192.168.1.3, gw 192.168.1.1
> dest machine: 192.168.2.2, gw 192.168.2.1
>
> I see routing machine log files say that it is sending it from
> 192.168.1.3 to 192.168.2.2.  It sounds like the gotcha is that
> 192.168.2.2 is confused on how to send it back.  If I got straight from
> test to dest it works fine, and if I go straight from routing to dest it
> works, but if I got from test to routing to dest, it doesn't.  Is there
> a way to work around this gotcha?
>
> Dan
>
>
> On Thu, 2004-02-26 at 17:46, Ed Groth wrote:
>> Daniel T. Gynn [Thu, Feb 26, 2004 at 12:52:03PM -0500]
>> > I know this is off topic, but I figured I'd give it a shot.
>> >
>> > I am going crazy trying to forward pop3 requests to another server.
>> > Everywhere I see on the internet, it seems to be correct. If I access
>> > from an internal address, it seems to work, but from an external one,
>> it
>> > just times out. My rules are:
>> >
>> > $IPTABLES -A PREROUTING -t nat -p tcp --dport 110 -j DNAT --to $POP3
>> > $IPTABLES -A FORWARD -p tcp --dport pop3 -j ACCEPT
>> >
>> >
>> > I've even tried setting all rules to ACCEPT and it still won't work.
>> Am
>> > I forgetting something?
>>
>> Destination NAT only works when you're sure that all traffic passes
>> through the machine doing it.  I don't think you're making this mistake
>> but it's a common "gotcha" so I figured I'd mention it.
>>
>> The other thing is that it looks to me like your iptables rules forward
>> *all*
>> pop3 traffic destined to *any* host to your pop3 server _except_ when
>> destined to
>> your machine.  You might want to add a destination host argument to the
>> PREROUTING command, and add an $IPTABLES -A INPUT -p tcp --dport pop3 -j
>> ACCEPT.
>> I'm not sure if the latter command is necessary, but you might try it.
>>
>> Also, I havent played with iptables for a while and this might be
>> completely
>> wrong! :v)
>>
>>   Ed
>>
>> >
>> >
>> > --
>> > -----------------------
>> > Daniel T. Gynn
>> > RHCE #806200978201621
>> > Essential Systems, Inc.
>> > 412-931-5403 ext. 1
>> > fax: 412-931-5425
>> > dan.gynn@essensys.com
>> > GnuPG Key http://www.essensys.com/~dan/gpgring.asc
>> > Fingerprint: 0979 73B8 847A 349E 7363  66F4 6A79 DD72 495D CD60
> --
> -----------------------
> Daniel T. Gynn
> RHCE #806200978201621
> Essential Systems, Inc.
> 412-931-5403 ext. 1
> fax: 412-931-5425
> dan.gynn@essensys.com
> GnuPG Key http://www.essensys.com/~dan/gpgring.asc
> Fingerprint: 0979 73B8 847A 349E 7363  66F4 6A79 DD72 495D CD60
>


-- 
3% body phat 1% brain activity