Dan, Here is the routing table:
r...@system:~# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.152.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 10.152.3.0 10.0.2.1 255.255.255.0 UG 0 0 0 eth0 10.0.1.0 10.152.3.1 255.255.255.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 The site to site is handled by a Cisco ASA at 10.0.2.1 allowing the eth0 network 10.0.2.2 system to route to the 10.152.3.0/24 On Jul 21, 7:48 am, Daniel Eggleston <[email protected]> wrote: > On Tue, 20 Jul 2010 20:43:52 -0700 (PDT) > > > > nseritti <[email protected]> wrote: > > Hi, > > > I seem to be having trouble setting up an iptables proxy > > > My network looks like this: > > > Target system: > > > 10.152.3.56:8443 > > > Internal System: > > eth0: 10.0.2.2 > > eth1: 192.168.0.3 > > > eth0 is connected to 10.152.3.0/24 network via site to site VPN > > > What I'm trying to do is allow users on the 192.168.0.0/24 network to > > point to 192.168.0.3:8443 and forward those requests to 10.152.3.56 > > via eth0. > > > My current ruleset allows me to access the target system via eth0, > > however applying a similar ruleset to eth1 does not work. Below is the > > script I'm currently running which works on if connecting from the > > local system to it's eth0 address. > > > #!/bin/sh > > # TCP Proxy using IPTables > > > IPTABLES=/sbin/iptables > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > # Flush nat table > > $IPTABLES -t nat -F > > $IPTABLES -F > > > # tcpproxy > > $IPTABLES -t nat -A PREROUTING --dst 10.0.2.2 -p tcp --dport 8443 -j > > DNAT --to-destination 10.152.3.56:8443 > > $IPTABLES -t nat -A POSTROUTING --dst 10.152.3.56 -p tcp --dport 8443 > > - j SNAT --to-source 10.0.2.2 > > $IPTABLES -t nat -A OUTPUT --dst 10.0.2.2 -p tcp --dport 8443 -j DNAT > > --to-destination 10.152.3.56:8443 > > > Any help would be appreciated. > > > Thanks, > > > Nick > > We're missing some info. You're SNAT-ing to a physical ethernet > adapter, when you should be SNAT-ing to the vpn net dev you didn't > mention. > > Post the output of these commands: > > ifconfig > netstat -rn -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup
