2

I have setup a network as in the image below:

enter image description here

Firewall (FW) running CentOS 6 has two physical interfaces with subinterfaces:
eth0:2 — 10.100.1.78/25
eth0:3 — 10.100.1.79/25
eth3 — 192.168.0.21/24
eth3:1 — 192.168.1.21/24

The task is to forward packets fromHost C to eitherHost A orHost B on port 990. There is no router in the network and hosts don't see each other.

My solution:
Host C needs to connect to Host A.
Host C sends a packet destined to FW (10.100.1.79, eth0:3) on port 990.
FW receives it on eth0:3 and forwards it to Host A (192.168.0.21) with the same port 990

iptables is empty and ACCEPT all policy is set, thus no packet is blocked. Here are the NAT rules:

iptables -A PREROUTING -t nat -p tcp -d 10.100.1.79 --dport 990 -j DNAT --to 192.168.0.21:990iptables -A POSTROUTING -t nat -d 192.168.0.21 -p tcp -m tcp --dport 990 -j SNAT --to-source 10.100.1.79iptables -A FORWARD -p tcp -i eth0:3 -d 192.168.0.22 --dport 990 -j ACCEPT

There is no service listening on port 990 on FW

PORT      STATE SERVICE22/tcp    open  ssh23/tcp    open  telnet25/tcp    open  smtp111/tcp   open  rpcbind631/tcp   open  ipp10000/tcp open  snet-sensor-mgmt

Here is theip route:

10.100.1.0/25 dev eth0  proto kernel  scope link  src 10.100.1.76192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.21192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.21

When I try telnet localhost 990, the following message appears:

Trying 127.0.0.1...telnet: connect to address 127.0.0.1: Connection refused

How can I accomplish the initial task? Do I have to have a service:990 running in order to forward packets?

askedJan 23, 2014 at 14:45
Gizat's user avatar
5
  • There is no router in the network and hosts don't see each other. I think this is wrong and you are actually using the FW as a router. Please think of reviewing the question.CommentedJan 23, 2014 at 15:22
  • Thank you, Alan. The host C doesn't have a default gateway, so it doesn't see the other network. I should clarify the question: Is it possible for iptables to receive a packet specifically sent to FW's ipAddress:990 and port forward it out to Host B's ipAddress:990? (with no service listening on port 990 on FW)CommentedJan 23, 2014 at 15:39
  • I may sound strange, and I am starting to think that it's not possible, but just needed a documented support, if such exist :-)CommentedJan 23, 2014 at 15:40
  • 2
    What happens if you telnet to10.100.1.79 instead of to127.0.0.1?CommentedJan 23, 2014 at 16:10
  • With that setup forwarding will only work when packets entering through eth0:3. Note that "localhost" uses loopback interface, and you shouldn't mess with it.CommentedSep 18, 2014 at 21:32

1 Answer1

0

Try changing this from 21 to 22.

iptables -A PREROUTING -t nat -p tcp -d 10.100.1.79 --dport 990 -j DNAT --to 192.168.0.22:990

And dropping the:

iptables -A POSTROUTING -t nat -d 192.168.0.21 -p tcp -m tcp --dport 990 -j SNAT --to-source 10.100.1.79

I'll explain if it solves the problem.

answeredJan 23, 2014 at 15:48
TheMeaningfulEngineer's user avatar

You mustlog in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.