I have the following setup:
Box1 [server]:
eth0 with ip 192.168.2.18
is in the internal network with webserver running on port 80.
Box2 [gateway]:
eth0 with ip gw.gw.gw.gw
with some port exposed to internet e.g. port number 3000.
eth1 with ip 192.168.2.3
is for the internal network
Box3 [client]:
eth0 with ip cl.cl.cl.cl
Goal is to redirect the traffic from gw.gw.gw.gw:3000
to 192.168.2.18:80
. It looks like simple DNAT rule would work but the problem is that gateway gw.gw.gw.gw
is filtered by some other firewall(black-box) so that only established sessions are accepted in the output chain of the black-box. In other words, if I am listening to port 4000 at cl.cl.cl.cl
, I won't be able to connect to cl.cl.cl.cl:4000
from gw.gw.gw.gw
but the other way is possible i.e. I can connect from cl.cl.cl.cl
to gw.gw.gw.gw:3000
. Currently, I have following rules in the gateway:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3000 -j DNAT --to 192.168.2.18:80
iptables -A POSTROUTING -t nat -j MASQUERADE -o eth0
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.2.18 --dport 3000 -j ACCEPT
sysctl -w net.ipv4.conf.eth0.forwarding=1 #to enable forwarding by kernel.
tcpdump
show that gateway is sending response packets to the client but the client is not able to receive any. My best guess is that this is somehow related to session being lost at the iptables but I not a pro in iptables rules. Any clue as to what I could be missing here?
I think that the following lines should do the trick: