0
  • Server 1: 192.168.0.1
  • Server 2: 192.168.0.2
  • Server 3: 192.168.0.3

Server 2 has access to server 3 on port 1521 The task is to make port forwarding from Server1 -> Server2:5501 -> Server3:1521

On Server2 I perform the settings:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 5501 \
         -j DNAT --to-destination 192.168.0.3:1521

or this option:

iptables -t nat -A PREROUTING --dst 192.168.0.2 -p tcp --dport 5501 \
         -j DNAT --to-destination 192.168.0.3:1521

I check from Server1 access to Server2:5501 with telnet 192.168.0.2 5501, but it does not work. Maybe tips for how to diagnose this? or my commands not correct?

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
AlexD
  • 1
  • This is all IPs you have? All three systems in one shared subnet? The reply must be sent back *directly to original*, without reverse translation; there it is not being recognized as a reply and is being dropped. You can confirm this by capturing traffic with `tcpdump`. That said, why you need all of that? Probably there is much more elegant solution to your *original* problem which doesn't include dirty hacks like NAT and the like? For that, we'd like to know what was the original problem. – Nikita Kipriyanov Jul 05 '23 at 12:26
  • Sorry, but I hide real IP of servers. Real IP's with other subnets. I'll try tcpdump thanks for tip. Server1 do not access to Server3 only Server2 has access to Server3. – AlexD Jul 05 '23 at 13:49
  • There is no point of hiding private IPs, so if these were 10.x.x.x or 192.168.x.x or 172... you know, don't hide them at all and present as is, for your own sake. There is no security leak (if your security were to depend on that, you have really big problems, my friend). If there were public IPs, there is a point of hiding, but in that case you need to be sure we see the correlations between them; if these are in different subnets, replace them with fake IPs that are in different subnets, too (and, don't invent fake IPs, use [RFC5735](https://www.rfc-editor.org/rfc/rfc5735) TEST-NET-n ones). – Nikita Kipriyanov Jul 05 '23 at 14:32
  • Well, that said, I really need that interrelation information to understand what's going on and to suggest a solution. And, again, I also asked for the **original problem** because your question looks very much like [the XY problem](https://xyproblem.info/) to me. What problem you are trying to solve with NAT? Why NAT? If all servers have public IPs, I swear, NAT could be not the best solution out there. Why won't you permit a direct access (which would be the best so far)? – Nikita Kipriyanov Jul 05 '23 at 14:37
  • Thanks for help. tcpdump and conntrack very helpfull tools. Problem solved. – AlexD Jul 06 '23 at 11:49
  • iptables -t nat -A PREROUTING -d $SRCIP -p tcp -m tcp --dport $SRCPRT -j DNAT --to-destination $DESTIP:$DSTPRT iptables -t nat -A POSTROUTING -d $DESTIP -p tcp -m tcp --dport $DSTPRT -j SNAT --to-source $SRCIP – AlexD Jul 06 '23 at 11:50

0 Answers0