2

I have setup a network as in the image below:

enter image description here

Firewall (FW) running CentOS 6 has two physical interfaces with subinterfaces:
eth0:2 — 10.100.1.78/25
eth0:3 — 10.100.1.79/25
eth3 — 192.168.0.21/24
eth3:1 — 192.168.1.21/24

The task is to forward packets from Host C to either Host A or Host B on port 990. There is no router in the network and hosts don't see each other.

My solution:
Host C needs to connect to Host A.
Host C sends a packet destined to FW (10.100.1.79, eth0:3) on port 990.
FW receives it on eth0:3 and forwards it to Host A (192.168.0.21) with the same port 990

iptables is empty and ACCEPT all policy is set, thus no packet is blocked. Here are the NAT rules:

iptables -A PREROUTING -t nat -p tcp -d 10.100.1.79 --dport 990 -j DNAT --to 192.168.0.21:990
iptables -A POSTROUTING -t nat -d 192.168.0.21 -p tcp -m tcp --dport 990 -j SNAT --to-source 10.100.1.79
iptables -A FORWARD -p tcp -i eth0:3 -d 192.168.0.22 --dport 990 -j ACCEPT

There is no service listening on port 990 on FW

PORT      STATE SERVICE
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
111/tcp   open  rpcbind
631/tcp   open  ipp
10000/tcp open  snet-sensor-mgmt

Here is the ip route:

10.100.1.0/25 dev eth0  proto kernel  scope link  src 10.100.1.76
192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.21
192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.21

When I try telnet localhost 990, the following message appears:

Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

How can I accomplish the initial task? Do I have to have a service:990 running in order to forward packets?

Improve this question
5
  • There is no router in the network and hosts don't see each other. I think this is wrong and you are actually using the FW as a router. Please think of reviewing the question. Commented Jan 23, 2014 at 15:22
  • Thank you, Alan. The host C doesn't have a default gateway, so it doesn't see the other network. I should clarify the question: Is it possible for iptables to receive a packet specifically sent to FW's ipAddress:990 and port forward it out to Host B's ipAddress:990? (with no service listening on port 990 on FW) Commented Jan 23, 2014 at 15:39
  • I may sound strange, and I am starting to think that it's not possible, but just needed a documented support, if such exist :-) Commented Jan 23, 2014 at 15:40
  • 2
    What happens if you telnet to 10.100.1.79 instead of to 127.0.0.1? Commented Jan 23, 2014 at 16:10
  • With that setup forwarding will only work when packets entering through eth0:3. Note that "localhost" uses loopback interface, and you shouldn't mess with it. Commented Sep 18, 2014 at 21:32

1 Answer 1

Reset to default
0

Try changing this from 21 to 22. 

iptables -A PREROUTING -t nat -p tcp -d 10.100.1.79 --dport 990 -j DNAT --to 192.168.0.22:990

And dropping the:

iptables -A POSTROUTING -t nat -d 192.168.0.21 -p tcp -m tcp --dport 990 -j SNAT --to-source 10.100.1.79

I'll explain if it solves the problem.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.