FedoraForum.org - Fedora Support Forums and Community
Results 1 to 9 of 9
  1. #1
    Join Date
    Oct 2007
    Posts
    884

    iptables Local Port Forwarding?

    I want the equivalent of
    ssh 192.168.0.2 -L 5900:192.168.0.2:5901
    (the machine I am on is 192.168.0.3)

    but without SSHing! I thought you could do this with iptables, but I tried this

    sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.0.3 --dport 5900 -j DNAT --to 192.168.02:5901
    sudo service iptables save

    but it doesn't seem to work. Basically I want any traffic coming to .0.3 on a particular port to be forwarded to .0.2 on a different port.

    Please let me know if you know how to do this.

    Thanks!

    David
    Last edited by daviddoria; 17th January 2008 at 07:42 PM.

  2. #2
    Join Date
    Oct 2007
    Posts
    884
    surely this is possible? bump

  3. #3
    Join Date
    Oct 2007
    Posts
    884
    bump - new title

  4. #4
    Join Date
    Jun 2005
    Location
    Westminster, Colorado
    Posts
    2,306
    You also have to have IP forwarding enabled. That's the first thing I can think of.

    BTW, don't bump your posts.

    [Edit] Oops, IP forwarding, not port forwarding...
    Registered Linux User #4837
    411th in line to get sued by Micro$oft
    Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy

  5. #5
    Join Date
    Oct 2007
    Posts
    884
    I'm pretty sure IP forwarding was enabled (just "echo "1" > /proc/sys/net/ipv4/ip_forward" right?)

    sorry about the bumps - do I just make a new one if I still didn't get a response?

  6. #6
    Join Date
    Jun 2005
    Location
    Westminster, Colorado
    Posts
    2,306
    Are you sure the SYN of the incoming traffic is not making it to the second host?

    I'm thinking the problem may be that the originating host is trying to establish a connection to 192.168.0.3:5900, but it's getting a response from 192.168.0.2:5901, which it drops because it isn't waiting for a conversation with that socket. Unless 192.168.1.3 is your default router for the network, you may have to NAT the source of the traffic so 192.168.0.2 sends its reply back via .3 so it can un-NAT it.

    WRT bumps, just wait for someone to respond.
    Registered Linux User #4837
    411th in line to get sued by Micro$oft
    Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy

  7. #7
    Join Date
    Oct 2007
    Posts
    884
    so by NATing the traffic it basically says "reply to 192.168.0.3, not to the source that originally sent the packet? but then how does 192.168.0.3 know to send the reply on to the original source?

    Is there a good tutorial on this anywhere? Everything I've found with iptables is wayyyy more than I need and its a bit overwhelming.

  8. #8
    Join Date
    Jun 2005
    Location
    Westminster, Colorado
    Posts
    2,306
    I may not be right, it needs more investigation.

    When iptables NATs the incoming packet, I don't know if it automatically rewrites the source address so the return path goes back through the original destination. If it doesn't, then the .2 machine will try to reply directly to the originating machine which will not talk to .2 because it isn't waiting for a reply from it, it's still waiting for a reply from .3.

    I haven't used DNAT much at all, firewalls usually use SNAT for masquerading which is what I'm more familiar with. You may need to specify that iptables rewrites the source address before forwarding the traffic to .2 so the return traffic traverses it and can be un-natted.

    Can you tcpdump the traffic on .2 and see if it is receiving the initial SYN packet from .3 and where it is ACKing?
    Registered Linux User #4837
    411th in line to get sued by Micro$oft
    Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy

  9. #9
    Join Date
    Oct 2007
    Posts
    884
    There is a program:
    http://sourceforge.net/project/showf...p?group_id=771

    That does this PERFECTLY!!

    it is executed like this:
    /usr/local/sbin/portfwd -c david.cfg

    and here is the contents of david.cfg:
    tcp {
    5900 { => 192.168.0.10:5910 }
    }

    This forwards 5900 on the local machine to 5910 on 192.168.0.10

    GREAT!

Similar Threads

  1. port forwarding on F10
    By yati in forum Using Fedora
    Replies: 0
    Last Post: 16th September 2009, 01:01 PM
  2. Port forwarding help.
    By GaMt in forum Servers & Networking
    Replies: 24
    Last Post: 3rd April 2009, 08:09 AM
  3. SSHD not port forwarding and cannot ping local interfaces
    By SlipperyDuck in forum Servers & Networking
    Replies: 4
    Last Post: 4th July 2007, 08:25 AM
  4. port forwarding, not forwarding?!!!
    By Stranger in forum Servers & Networking
    Replies: 2
    Last Post: 29th September 2005, 07:53 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •