Ping a Specific Port

Question

AndiDog

Asked: 2010-01-26 10:59:19 +0800 CST2010-01-26 10:59:19 +0800 CST 2010-01-26 10:59:19 +0800 CST

iptables for transparent NAT

772

I'm trying to transparently route traffic of one Xen VM through another, like so:

-------      192.168.250.4          192.168.250.3     ---------
| VM1 |   <-----------------bridged---------------->  | VM2   |  <-----> Internet
-------                                               | with  |
                                                      | squid |
                                                      | proxy |
                                                      ---------

Don't ask why, just experimenting with iptables. I'm able to successfully route HTTP traffic through VM2's Squid proxy (transparent mode) with

iptables -t nat -A PREROUTING -p tcp --dport 80 –s ! 192.168.250.3 -j REDIRECT --to-port 3128

but how can I simply pass through all other traffic? Already tried this config but it gives me "Connection refused" errors when trying to access the Internet from VM1 (192.168.250.4):

vm2:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
# route outgoing udp traffic
DNAT       udp  -- !192.168.250.3        0.0.0.0/0           udp dpt:!80 to:192.168.250.3
# route outgoing tcp traffic
DNAT       tcp  -- !192.168.250.3        0.0.0.0/0           tcp dpt:!80 to:192.168.250.3
# this is the working squid rule
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
# route incoming traffic
SNAT       all  --  0.0.0.0/0            192.168.250.3       to:192.168.250.4 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

What is wrong here? I already read lots of tutorials but most don't work properly... (BTW: /proc/sys/net/ipv4/ip_forward is 1)

2 Answers

Voted

Scott Forsyth · Answer 1 · 2010-01-26T20:02:02+08:00

Scott Forsyth

2010-01-26T20:02:02+08:002010-01-26T20:02:02+08:00

Rather than using REDIRECT, try DNAT and SNAT. Try this:

iptables -t nat -I PREROUTING -d 192.168.250.3 -j DNAT --to-destination 192.168.250.4 iptables -t nat -I POSTROUTING -s 192.168.250.4 -j SNAT --to-source 192.168.250.3

1

AndiDog · Answer 2 · 2010-01-27T05:46:33+08:00

Best Answer

AndiDog

2010-01-27T05:46:33+08:002010-01-27T05:46:33+08:00

I finally found the correct way to do it:

NAT-ing outgoing connections (VM1 --> Internet/intranet) works with source rewriting (SNAT):

iptables -t nat -A POSTROUTING -s 192.168.250.4 -j SNAT --to-source 192.168.2.125

where 192.168.2.125 is the current external IP of VM2 (must not be the internal address). As that IP is assigned by DHCP in my case, the rule must be changed to do SNAT on the dynamic IP. This is done by the MASQUERADE command:

iptables -t nat -A POSTROUTING -s 192.168.250.4 -j MASQUERADE

The final iptables config now looks like this (other tables/chains are empty):

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.250.4        0.0.0.0/0

0

iptables for transparent NAT

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?