Re: [rlug] iptables dnat

Catalin(ux) M. BOIE Thu, 27 Sep 2012 01:54:46 -0700

On Thu, 27 Sep 2012, alex alex wrote:

Salut.


Ce kernel ai?

> Regula e neatinsa de pachete. Ce ma macina este faptul ca nu se face match
> in prerouting.
> Poate ca prima intrebare este de ce un pachet nu face match pe o regula in
> prerouting,
> DNAT-ul fiind o actiune ulterioara match-ului. Sau poate inteleg eu ceva
> gresit.
>
> iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1234 -j DNAT --to
> 172.16.116.142:9996
>
> iptables -t nat -L -n -v
> Chain PREROUTING (policy ACCEPT 6010 packets, 591K bytes)
> pkts bytes target     prot opt in     out     source
> destination
>    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:1234 to:172.16.116.142:9996
>
> Chain POSTROUTING (policy ACCEPT 1325 packets, 111K bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 9727  906K MASQUERADE  all  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0
>    0     0 MASQUERADE  all  --  *      eth2    0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 5190 packets, 436K bytes)
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> 2012/9/27 Florin Popovici <[email protected]>
>
>> 2012/9/27 alex alex <[email protected]>
>>
>>> Salut,
>>> am nevoie de un cap limpede in setarea unui DNAT.
>>> Pe scurt,am 3 calculatoare (A,B,C). B face masquerade (iptables) pentru
>> A.
>>> In acelasi timp, C trimite pachete UDP catre B, la un port specific
>> (1234).
>>> Vreau ca acele pachete sa ajunga la A.
>>> Ce am facut:
>>> iptables -t nat -N forward_to_server
>>> iptables -t nat -A forward_to_server  -j LOG --log-prefix " [>] New
>>> Forward"
>>> iptables -t nat -A forward_to_server -p udp -j DNAT --to
>>> 172.16.116.142:9996
>>> iptables -t nat -I PREROUTING -i eth1 -p udp  --dport 1234 -j
>>> forward_to_server
>>>
>>>
>> N-am mai vazut DNAT facut "din doi pasi", adica targetul DNAT sa fie
>> intr-un chain separat iar in PREROUTING sa fie doar regula de selectie.
>>
>> "For troubleshooting purposes", eu as incerca sa-l fac cu o singura regula:
>> iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1234 -j DNAT --to
>> dst_ip:dst_port
>>
>> Si daca nici pe regula asta n-o sa ai match-uri, devine interesant :)
>>
>> Flo
>>
>> --
>> flo.ro
>> _______________________________________________
>> RLUG mailing list
>> [email protected]
>> http://lists.lug.ro/mailman/listinfo/rlug
>>
> _______________________________________________
> RLUG mailing list
> [email protected]
> http://lists.lug.ro/mailman/listinfo/rlug
>

--
Catalin(ux) M. BOIE
http://kernel.embedromix.ro/
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] iptables dnat

Raspunde prin e-mail lui