Fedora Linux Support Community & Resources Center
  #1  
Old 16th January 2008, 12:59 AM
daviddoria Offline
Registered User
 
Join Date: Oct 2007
Posts: 884
iptables Local Port Forwarding?

I want the equivalent of
ssh 192.168.0.2 -L 5900:192.168.0.2:5901
(the machine I am on is 192.168.0.3)

but without SSHing! I thought you could do this with iptables, but I tried this

sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.0.3 --dport 5900 -j DNAT --to 192.168.02:5901
sudo service iptables save

but it doesn't seem to work. Basically I want any traffic coming to .0.3 on a particular port to be forwarded to .0.2 on a different port.

Please let me know if you know how to do this.

Thanks!

David

Last edited by daviddoria; 17th January 2008 at 07:42 PM.
Reply With Quote
  #2  
Old 16th January 2008, 01:51 PM
daviddoria Offline
Registered User
 
Join Date: Oct 2007
Posts: 884
surely this is possible? bump
Reply With Quote
  #3  
Old 17th January 2008, 07:42 PM
daviddoria Offline
Registered User
 
Join Date: Oct 2007
Posts: 884
bump - new title
Reply With Quote
  #4  
Old 17th January 2008, 08:10 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
You also have to have IP forwarding enabled. That's the first thing I can think of.

BTW, don't bump your posts.

[Edit] Oops, IP forwarding, not port forwarding...
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy
Reply With Quote
  #5  
Old 17th January 2008, 08:13 PM
daviddoria Offline
Registered User
 
Join Date: Oct 2007
Posts: 884
I'm pretty sure IP forwarding was enabled (just "echo "1" > /proc/sys/net/ipv4/ip_forward" right?)

sorry about the bumps - do I just make a new one if I still didn't get a response?
Reply With Quote
  #6  
Old 17th January 2008, 08:43 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
Are you sure the SYN of the incoming traffic is not making it to the second host?

I'm thinking the problem may be that the originating host is trying to establish a connection to 192.168.0.3:5900, but it's getting a response from 192.168.0.2:5901, which it drops because it isn't waiting for a conversation with that socket. Unless 192.168.1.3 is your default router for the network, you may have to NAT the source of the traffic so 192.168.0.2 sends its reply back via .3 so it can un-NAT it.

WRT bumps, just wait for someone to respond.
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy
Reply With Quote
  #7  
Old 17th January 2008, 08:51 PM
daviddoria Offline
Registered User
 
Join Date: Oct 2007
Posts: 884
so by NATing the traffic it basically says "reply to 192.168.0.3, not to the source that originally sent the packet? but then how does 192.168.0.3 know to send the reply on to the original source?

Is there a good tutorial on this anywhere? Everything I've found with iptables is wayyyy more than I need and its a bit overwhelming.
Reply With Quote
  #8  
Old 17th January 2008, 10:02 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
I may not be right, it needs more investigation.

When iptables NATs the incoming packet, I don't know if it automatically rewrites the source address so the return path goes back through the original destination. If it doesn't, then the .2 machine will try to reply directly to the originating machine which will not talk to .2 because it isn't waiting for a reply from it, it's still waiting for a reply from .3.

I haven't used DNAT much at all, firewalls usually use SNAT for masquerading which is what I'm more familiar with. You may need to specify that iptables rewrites the source address before forwarding the traffic to .2 so the return traffic traverses it and can be un-natted.

Can you tcpdump the traffic on .2 and see if it is receiving the initial SYN packet from .3 and where it is ACKing?
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy
Reply With Quote
  #9  
Old 17th January 2008, 11:57 PM
daviddoria Offline
Registered User
 
Join Date: Oct 2007
Posts: 884
There is a program:
http://sourceforge.net/project/showf...p?group_id=771

That does this PERFECTLY!!

it is executed like this:
/usr/local/sbin/portfwd -c david.cfg

and here is the contents of david.cfg:
tcp {
5900 { => 192.168.0.10:5910 }
}

This forwards 5900 on the local machine to 5910 on 192.168.0.10

GREAT!
Reply With Quote
Reply

Tags
forwarding , local , port , sshing

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
port forwarding on F10 yati Using Fedora 0 16th September 2009 01:01 PM
Port forwarding help. GaMt Servers & Networking 24 3rd April 2009 08:09 AM
SSHD not port forwarding and cannot ping local interfaces SlipperyDuck Servers & Networking 4 4th July 2007 08:25 AM
port forwarding, not forwarding?!!! Stranger Servers & Networking 2 29th September 2005 07:53 AM


Current GMT-time: 13:50 (Sunday, 22-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat