DNAT in SuSEFirewall2

user · January 5, 2010, 12:54am

Ok, I’m fighting with this for hours now. Here is the story:

I have a server with a XEN Virtual Machine. The VM uses the address 192.168.0.4. The same server uses two more network cards - one with the IP 192.168.0.1 and one with the IP 192.168.1.10.

Now - what I want to do is make a simple port redirection:

192.168.1.10:80 → 192.168.0.4:80

So, all the traffic that jumps into port 80 on 192.168.1.10 gets to the VM and the way back.

This is how I tried to achieve this:

iptables -t nat -I PREROUTING -p tcp -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.0.4:80

This doesn’t work.

Can you give me any clue, any idea, solution - how can I manage to get this working?

microchip8 · January 5, 2010, 1:03am

try this:

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.0.4:80

user · January 5, 2010, 1:14am

Actually, it’s the same as in my example.

microchip8 · January 5, 2010, 1:17am

–to is a bit different than --to-destination, it is an offset option
Also, the example uses -A instead of -I

user · January 5, 2010, 1:25am

None of them don’t work.

user · January 5, 2010, 1:33am

Ok, here is a clue. When I launch:

iptables -t nat -I PREROUTING -p tcp -i eth0 -d 192.168.4.1 --dport 80 --sport 1024:65535 -j DNAT --to-destination 212.77.100.101

The whole thing works fine - entering 192.168.4.1 as a destination address redirects me to 212.77.100.101. The problem comes up when I try to redirect to a destination in my LAN. Any idea?

microchip8 · January 5, 2010, 1:33am

Are you sure IP forwarding is enabled in the kernel?

cat /proc/sys/net/ipv4/ip_forward

if you get 0, then it’s disabled and you can enable it by doing:

echo 1 > /proc/sys/net/ipv4/ip_forward

to make it permanent, open /etc/sysctl.conf and add the below to it

net.ipv4.ip_forward = 1

EDIT: also try the --to-port option

user · January 5, 2010, 8:05am

Any ideas?