Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 17 of 17
That is a routing issue and not IPTABLES fault. check your routing if 192.168.201.51 cannot get to 192.168.200.200 with it's return traffic....
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677

    That is a routing issue and not IPTABLES fault. check your routing if 192.168.201.51 cannot get to 192.168.200.200 with it's return traffic.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  2. #12
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    Clarification

    I guess I'm not being very clear:

    The machine in question, eth0 192.168.201.10 and eth1 192.168.201.50, is _NOT_ the default router for either subnet.

    The default routers for each subnet (...1) do _NOT_ know how to route traffic to each other.

    I was hoping that this machine could allow certain traffic between the two subnets with port translation, is this not possible with iptables?

    Hmm, that's potentially unclear:

    If traffic comes in eth1 for 192.168.200.10:54321 I want it to goto eth0 192.168.201.51:80 (this part works).

    Return traffic from that session should go (from the POV of the 192.168.201.51 box) back to 192.168.201.50 on eth0 and be returned to the originating machine on eth1, 192.168.200.??

    So we need to rewrite (NAT) the source address so that from the POV of the 192.168.201.51 box, the request appears to come from 192.168.201.50, yes?

    Thanks!
    Last edited by wpns; 05-24-2010 at 09:26 PM. Reason: Possibly uclear what I wanted

  3. #13
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Sorry fro the late reply.

    IPTABLES is a firewall and does not route so the answer to your question is NO.

    To route packets between the networks they must pass through a router. But if this machine is connected to both networks then it should be able to route the traffic itself as it is aware of both networks. and it's next hope should be the the device it is connected to on each network.

    What is the output of the following command:

    Code:
    route -n

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close
  5. #14
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    Code:
    [root@camsrv01 ~]# route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.201.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
    192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
    169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
    0.0.0.0         192.168.201.1   0.0.0.0         UG    0      0        0 eth0
    [root@camsrv01 ~]#
    But why don't I want the box to rewrite the source address? How does the response get back to the requesting device on the other network?

    I'm still getting:
    Code:
    May 31 23:15:18 camsrv01 kernel: IN=eth1 OUT=eth0 SRC=192.168.200.200 DST=192.168.201.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=41051 DF PROTO=TCP SPT=1176 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
    in the log file, and the camera status shows:
    Code:
    tcp        0      0 192.168.201.51:80                                   192.168.200.200:1177                                SYN_RECV
    So it got the connection, but how does the response get back to the machine (...200.200) on the other subnet?

    Thanks!

  6. #15
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by wpns View Post
    But why don't I want the box to rewrite the source address? How does the response get back to the requesting device on the other network?
    The source address stays the same and doesn't need to be changed. You do not need to change it as that is where the return packets are to be sent.

    So it got the connection, but how does the response get back to the machine (...200.200) on the other subnet?

    Thanks!
    That is the job of your routing table.
    Code:
    192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
    Tells the kernel to send all traffic for 192.168.200.* out interface eth1

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #16
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    Right.

    Yeah, routing tables. Or spend a few more hours trying things and grepping the interweb:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables -t nat -A PREROUTING -p tcp -i eth1 -d 192.168.200.10 --dport 54321 -j DNAT --to-destination 192.168.201.51:80
    iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 192.168.201.50
    That seems to do it, the laptop on the other (eth1) subnet can see the camera on the local (eth0) subnet.

  8. #17
    Just Joined!
    Join Date
    Nov 2012
    Posts
    1
    Wow, thanks to this thread my port forwarding is finally working as it is supposed to be after days and days of searching and reading.
    I have the same problem as the subject poster and got it solved with the PREROUTING and POSTROUTING rules as wpns showed.
    Alternatively to the POSTROUTING SNAT rule

    Code:
    iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
    also works for me in dynamically changing the source address of the packets.

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •