Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I have two 64 bit SLES 11 virtual machines running in the same subnet with two network cards each as shown below. VM1------------------------------------------------------------------------------ appstage1:~ # ifconfig eth0 Link encap:Ethernet ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2011
    Posts
    2

    Question Port forwarding issues using iptable - trials with netcat


    Hi,
    I have two 64 bit SLES 11 virtual machines running in the same subnet with two network cards each as shown below.

    VM1------------------------------------------------------------------------------
    appstage1:~ # ifconfig
    eth0 Link encap:Ethernet HWaddr 00:0C:29:22:5A:24
    inet addr:192.168.128.12 Bcast:192.168.128.255 Mask:255.255.255.0
    inet6 addr: fe80::20c:29ff:fe22:5a24/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:139025 errors:0 dropped:0 overruns:0 frame:0
    TX packets:131513 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:29084764 (27.7 Mb) TX bytes:110846633 (105.7 Mb)

    eth1 Link encap:Ethernet HWaddr 00:0C:29:22:5A:2E
    inet addr:192.168.200.10 Bcast:192.168.200.255 Mask:255.255.255.0
    inet6 addr: fe80::20c:29ff:fe22:5a2e/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:5410 errors:0 dropped:0 overruns:0 frame:0
    TX packets:197 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:593563 (579.6 Kb) TX bytes:13289 (12.9 Kb)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:34308 errors:0 dropped:0 overruns:0 frame:0
    TX packets:34308 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2648218 (2.5 Mb) TX bytes:2648218 (2.5 Mb)

    VM2------------------------------------------------------------------------------
    dbstage1:~ # ifconfig
    eth0 Link encap:Ethernet HWaddr 00:0C:29:438:A2
    inet addr:192.168.128.13 Bcast:192.168.128.255 Mask:255.255.255.0
    inet6 addr: fe80::20c:29ff:fe43:d8a2/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:9940 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4650 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:988186 (965.0 Kb) TX bytes:1040930 (1016.5 Kb)

    eth1 Link encap:Ethernet HWaddr 00:0C:29:438:AC
    inet addr:192.168.200.11 Bcast:192.168.200.255 Mask:255.255.255.0
    inet6 addr: fe80::20c:29ff:fe43:d8ac/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:8936 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4272 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1626915 (1.5 Mb) TX bytes:887984 (867.1 Kb)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:2104 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2104 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:115180 (112.4 Kb) TX bytes:115180 (112.4 Kb)
    ---------------------------------------------------------------------------------

    The firewall is switched off in both machines. eth1 is an internal LAN between VM1
    and VM2 as shown below.

    LAN<------eth0(192.168.128.12)-VM1-(192.168.200.10)eth1------/
    -----eth1(192.168.200.11)-VM2-(192.168.128.13)eth0------>LAN

    I have enabled port forwarding in port 2055 of VM1 to same port in VM2
    via the commands.

    >echo "1" > /proc/sys/net/ipv4/ip_forward
    >iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2055 -j DNAT --to 192.168.200.11:2055
    >iptables -A FORWARD -p tcp -i eth0 -d 192.168.200.11 --dport 2055 -j ACCEPT

    Now from a third machine(VM3) if I connect to port 2055 of VM1 via command :
    netcat -v 192.168.128.12 2055 , I thought I should get the connection in VM2 because of the forwarded port. This is not happening. I am listening in VM2 via command : netcat -lv -p 2055.
    If I flush the iptables and then try to netcat I am able to connect to
    VM1 and VM2 from VM3 separately. With port forwarding it does not seem to send the standard input from VM3 to to VM2 via VM1.I enabled the INPUT chain also thinking that could be the reason. But it is not.
    My nat and filter tables in VM1 looks like this.

    ---------------------------------------------------------------------------------
    appstage1:~ # iptables -nL
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2055

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- 0.0.0.0/0 192.168.200.11 tcp dpt:2055

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ---------------------------------------------------------------------------------
    appstage1:~ # iptables -nL -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2055 to:192.168.200.11:2055

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ---------------------------------------------------------------------------------

    Ultimately my DB will run in VM2 and any DB requests coming in at 2055 of VM1 should be forwarded to port 2055 of VM2. Since I do not yet have a DB running I am trying to test with netcat. I am juggling with some tcpdump/traceroute commands but am yet to get the hang of it.
    If anyone knows where the port forwarding config is wrong please enlighten me.

    Thanks,
    Sekhar.
    Last edited by mail2sekh; 05-18-2011 at 12:41 PM. Reason: Additional info

  2. #2
    Just Joined!
    Join Date
    May 2011
    Posts
    2

    Thumbs up some progress !

    hi,
    Further investigation results in case it helps somebody or somebody can still help me ?!

    If I add an SNAT to the POSTROUTING chain like :

    > iptables -t nat -A POSTROUTING -p tcp --dport 2055 -j SNAT --to 192.168.200.10

    then port forwarding works fine and I am able to connect (via netcat or otherwise) to VM2 from VM3 via VM1. With this SNAT, forwarding works even if I delete the forward chain rule. This does not make sense because wherever I read, it said that adding only a prerouting rule is not enough but I got to accept packets coming in the FORWARD chain as well via the command

    "iptables -A FORWARD -p tcp -i eth0 -d 192.168.200.11 --dport 2055 -j ACCEPT" as I mentioned in my first post.

    Now If I start the firewall and then apply my rules it again does not forward. So I manually enable masquerading (FW_MASQUERADE="yes") and specify my requested IP/ports in the /etc/sysconfig/SuSEfirewall2 config file with
    FW_FORWARD_MASQ="192.168.128.0/24,192.168.200.11,tcp,2055". Then forwarding again works.

    Guess I am missing something in the fundamentals of port forwarding with iptables. But for now it works !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •