0

I'm creating a proxy server on Debian 8, and are trying to do DNAT on incoming packets - which are being forwarded from another server.

This is my iptables DNAT rule:

iptables -t nat -A PREROUTING -s 10.1.10.10/10 -j DNAT --to-destination 192.168.2.3 --persistent

However, no packets are being detected and send to 192.168.2.3. In wireshark I see a lot of incoming packets with source IP 10.1.10.76, but they do not get a new destination IP.

As my server is a proxy I do not have an interface with source IPs 10.1.10.10/10, so I'm thinking if iptables is not listening on for all packets.

UPDATE

It seems the nat rule are being hit, but destination IP is not changed:

Every 2.0s: iptables -nvL -t nat                                                              Mon Jun 18 10:36:39 2018

Chain PREROUTING (policy ACCEPT 1647 packets, 75652 bytes)
 pkts bytes target     prot opt in     out     source               destination
  285 18890 DNAT       all  --  *      *       10.1.10.10/10       ! 10.1.10.10/10        to: 192.168.2.3 persistent

I've only got eth0 and eth1 with a single private and single public IP attached to it. ip route list only contains default via 192.168.2.255.

Alfred Balle
  • 409
  • 3
  • 9
  • 22

2 Answers2

0

Adding:

iptables -A FORWARD -d 192.168.2.3 -j ACCEPT

makes it work. Apparently need to allow the forwarding of packets.

Alfred Balle
  • 409
  • 3
  • 9
  • 22
0

I am using

iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

to allow all DNATed packets through which usually is what you want when you start playing with NAT.

See man iptables-extensions for more details.

Tomek
  • 3,390
  • 1
  • 16
  • 10