0

On server 1.1.1.1:

iptables -t nat -A PREROUTING -p tcp --dport 20000 -j DNAT --to-destination: 2.2.2.2:20000

iptables -t nat -A PREROUTING -p tcp --dport 20000 -j LOG --log-prefix pre20k

iptables -t nat -A POSTROUTING -p tcp --dport 20000 -j LOG --log-prefix post20k

On server 2.2.2.2:

iptables -t nat -A PREROUTING -p tcp --dport 20000 -j LOG --log-prefix pre20k

On client 3.3.3.3: 

nc 1.1.1.1 20000

I can see in the logs of 1.1.1.1 that postrouting packages do have SIP=3.3.3.3 and DIP=2.2.2.2 (and not 1.1.1.1 as in original prerouting package).

However, none of the packages delivered from 1.1.1.1 arrive at 2.2.2.2. I cannot see them neither in iptables log nor in tcpdump.

Why?

rlib
  • 195
  • 1
  • 1
  • 8
  • The rules look fine, assuming there is no rules in the filter table that interfere with the packet processing. Maybe anything else in between that might kill the packets? – dadriel Jul 29 '15 at 10:49
  • When I add the following rule, server 2.2.2.2 starts to get the packets: iptables -t nat -A POSTROUTING -p tcp --dport 20000 -j SNAT --to-source 1.1.1.1. This means that when packets coming out of 1.1.1.1 with SIP that is not 1.1.1.1 are somehow dropped. What can be a reason? No other rules are defined. Both machines are on digitalocean cloud. – rlib Jul 29 '15 at 11:35

1 Answers1

0

The machines I was testing the rules sit on digitalocean cloud. I googled and found

"Since it the gateway box is attempting to send a packet that has a different source address from itself, it will not be allowed through."

rlib
  • 195
  • 1
  • 1
  • 8