[Nottingham] Port forwarding with iptables

Phil Lakin nottingham at mailman.lug.org.uk
Tue Apr 29 17:26:02 2003


On Tue, 2003-04-29 at 17:09, Steve Goodliff wrote:
> ipv4_forward is definitely on. I'm thinking that the problem is that the
> line below ought to have 192.168.1.201 instead of 10.1.1.194 so that the
> router responds to my redhat box. The redhat box should then send that data
> back to 10.1.1.94, how i achieve this is another matter :).
> 
> 16:30:07.006388 10.1.1.194.44992 > 192.168.1.1.http: S
> 3580018260:3580018260(0) win 5840 <mss 1460,sackOK,timestamp 1415235782
> 0,nop,wscale 0> (DF) [tos 0x10]
> 
> 
> How would selective forwarding work ?, really all I want to achieve is to be
> able to access the routers web frontends from our 10.x network so
> alternatives definitely considered. I'll check to see if I can access the
> routers table in the morning, but can't see it being the problem.

I've not actually tried this, but it should work.. Port forwarding under
iptables caused me a fair bit of grief recently..

Maybe Rob has some better ideas ? 

Assuming your using the 10.0.0.0/8 network for your clients, and the
routers are on the 192.168.0.0/16 network.. (obviously, you could lock
the subnets down)

iptables -t filter -A forward -s 10.0.0.0/8 -d 192.168.0.0/16 -j ACCEPT
iptables -t filter -A forward -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT

for this to work, you need to make sure your input and output filters
arent blocking the packets before/after they get to the forwarding
rules. Also, the redhat box needs to be set as the gateway for these
subnets.

Hope this helps,

Phil