iptables port forwarding to non local ip addresses - Networking

This is a discussion on iptables port forwarding to non local ip addresses - Networking ; Hi, I have a trouble with port forwarding. Since I try to forward a public port to an internal directly connected IP is ok. but i also have to port forward to an host connected with VPN PUBLIC | | ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: iptables port forwarding to non local ip addresses

  1. iptables port forwarding to non local ip addresses

    Hi,
    I have a trouble with port forwarding.
    Since I try to forward a public port to an internal directly connected
    IP is ok.
    but i also have to port forward to an host connected with VPN

    PUBLIC
    |
    |
    IPTABLES linux box with OpenVPN
    | network 10.2.0.0
    |
    OpenVPN Client
    | network 10.11.0.0
    |
    Internal server

    I can do all the port forwarding I want to the 10.2.0.0, internet is
    full of good documentation about that. Pain starts forwardind to
    10.11.0.0 network.

    Obviously internal networking is ok. from Iptables linux console i can
    ping and traceroute all the network.

    Anyone has some ideas?

  2. Re: iptables port forwarding to non local ip addresses

    Hello,

    Raptolino a crit :
    > I have a trouble with port forwarding.
    > Since I try to forward a public port to an internal directly connected
    > IP is ok.
    > but i also have to port forward to an host connected with VPN
    >
    > PUBLIC
    > |
    > |
    > IPTABLES linux box with OpenVPN
    > | network 10.2.0.0
    > |
    > OpenVPN Client
    > | network 10.11.0.0
    > |
    > Internal server


    Is the OpenVPN client on the 10.2.0.0 LAN ?

    > I can do all the port forwarding I want to the 10.2.0.0, internet is
    > full of good documentation about that. Pain starts forwardind to
    > 10.11.0.0 network.


    What kind of pain ? This is all very vague. Please provide more info
    about your setup.

    > Obviously internal networking is ok. from Iptables linux console i can
    > ping and traceroute all the network.


    What network ?

    > Anyone has some ideas?


    Check the return path. Stateful NAT requires symmetric routing.

  3. Re: iptables port forwarding to non local ip addresses

    On 21 Nov, 17:00, Pascal Hambourg
    wrote:
    > Hello,
    >
    > Raptolino a crit :
    >
    > > I have a trouble with port forwarding.
    > > Since I try to forward a public port to an internal directly connected
    > > IP is ok.
    > > but i also have to port forward to an host connected with VPN

    >
    > > PUBLIC
    > > |
    > > |
    > > IPTABLES linux box with OpenVPN
    > > | network 10.2.0.0
    > > |
    > > OpenVPN Client
    > > | network 10.11.0.0
    > > |
    > > Internal server

    >
    > Is the OpenVPN client on the 10.2.0.0 LAN ?
    >
    > > I can do all the port forwarding I want to the 10.2.0.0, internet is
    > > full of good documentation about that. Pain starts forwardind to
    > > 10.11.0.0 network.

    >
    > What kind of pain ? This is all very vague. Please provide more info
    > about your setup.
    >
    > > Obviously internal networking is ok. from Iptables linux console i can
    > > ping and traceroute all the network.

    >
    > What network ?
    >
    > > Anyone has some ideas?

    >
    > Check the return path. Stateful NAT requires symmetric routing.


    Hey, thanks for your reply,
    let me try to explain you better.

    PUBLIC_IP
    |
    |
    Serverfarm Linux Box OpenVPN Server 10.2.1.1 (ping 10.11.11.1 OK)
    |
    | Bridged vpn 10.2.x.x
    |
    Office Linux Box 10.2.1.2
    |
    | internal lan 10.11.x.x
    |
    Internal server 10.11.11.1 (ping 10.2.1.1 OK)


    I can successfully port forward from public_ip to all 10.2.x.x network
    I can't port forward from publi_ip to 10.11.x.x

    In the internet all people talks about port forwarding to an internal
    ip (in my case 10.2.x.x) I couldn't find any experience about port
    forwarding of routed networks (in my case 10.11.x.x).
    Anyone tried that before?

  4. Re: iptables port forwarding to non local ip addresses

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ,--- Raptolino writes:

    [...]

    | Hey, thanks for your reply,
    | let me try to explain you better.

    | PUBLIC_IP
    | |
    | |
    | Serverfarm Linux Box OpenVPN Server 10.2.1.1 (ping 10.11.11.1 OK)
    | |
    | | Bridged vpn 10.2.x.x
    | |
    | Office Linux Box 10.2.1.2
    | |
    | | internal lan 10.11.x.x
    | |
    | Internal server 10.11.11.1 (ping 10.2.1.1 OK)


    | I can successfully port forward from public_ip to all 10.2.x.x network
    | I can't port forward from publi_ip to 10.11.x.x

    | In the internet all people talks about port forwarding to an internal
    | ip (in my case 10.2.x.x) I couldn't find any experience about port
    | forwarding of routed networks (in my case 10.11.x.x).
    | Anyone tried that before?

    I've no experience of OpenVPN, but have you tried specifying 10.11.x.x
    as destination of DNAT target in 'Serverfarm Linux Box' , since you're
    able to ping 10.11.x.x address from that box. Hmm... ?

    - --
    Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
    ·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHRHx9Hy+EEHYuXnQRAqmTAJ9qdBK6Si17l5YUtW9nwI xFVTuj0wCeKZIS
    E23AgBnBwftx439HAz8MUNI=
    =TfS0
    -----END PGP SIGNATURE-----

  5. Re: iptables port forwarding to non local ip addresses

    Raptolino a crit :
    > let me try to explain you better.
    >
    > PUBLIC_IP
    > |
    > |
    > Serverfarm Linux Box OpenVPN Server 10.2.1.1 (ping 10.11.11.1 OK)
    > |
    > | Bridged vpn 10.2.x.x
    > |
    > Office Linux Box 10.2.1.2
    > |
    > | internal lan 10.11.x.x
    > |
    > Internal server 10.11.11.1 (ping 10.2.1.1 OK)


    Ok, that's a bit clearer. I guess that the office box has also an
    address in 10.11.x.x ?

    > I can successfully port forward from public_ip to all 10.2.x.x network
    > I can't port forward from publi_ip to 10.11.x.x


    I expected a more detailed description of the problem. What you did,
    what result you expected, what actually happened. Don't be afraid to
    include iptables rules, routing tables, packet sniffer output on all
    involved machines... Nothing is worse than just "it doesn't work".

    > In the internet all people talks about port forwarding to an internal
    > ip (in my case 10.2.x.x) I couldn't find any experience about port
    > forwarding of routed networks (in my case 10.11.x.x).


    It's not really different. In all cases port forwarding is basically
    destination NAT. The important point that must be kept in mind is that
    return traffic from the server must be routed back to the box doing the
    port forwarding, so the reverse DNAT can be performed properly.

    Is the office box the default gateway for the internal server ?
    If yes, is the serverfarm box the default gateway for the VPN client ?
    Can you please provide the routing tables of the internal server and the
    office box ?

+ Reply to Thread