Change IP address of incoming packet with iptables

Question

I have a server (S1) inside LAN, where a router is outside my control. On a server openvpn is installed and I can login with ssh to it. There is another server (S2) on the LAN, and I want to forward port on S2 to port S1.

If I do

sudo iptables -t nat -A PREROUTING  -p tcp -m tcp -d S1 --dport 8001 -j DNAT --to-destination S2:80

and then try to connect S1:8001 from my computer I have on S1's LAN interface:

IP **my_vpn_ip**.48174 > S2.80: Flags [S], seq 4243753453, win 14600, options [mss 1368,sackOK,TS val 89266048 ecr 0,nop,wscale 7], length 0

Obviously it does not work, as S2 do not have route to my computer and cannot send a reply. Is it possible to spoof source on S1 to have packets back and then do NAT?

It is not possible to change routes on S2, as it is an IP Camera with very limited functionality.

score 1 · Accepted Answer · answered Sep 13 '13 at 18:41

1

Setup SNAT/Masquerading on the host you are connecting to. So that your source address is modified to appear as the proxy coming from the NAT box.

A rule as simple as this might do what you want.

iptables -t nat -A POSTROUTING --destination S2 -j MASQ

answered Sep 13 '13 at 18:41

Zoredache

130,897
41
276
420

This rule should be used in addition to mine, now I understand. Thank you. – galadog Sep 13 '13 at 19:01

Change IP address of incoming packet with iptables

1 Answers1