OK, this should be pretty simple then, let me know if this works: #!/bin/sh # TCP Proxy using IPTables
IPTABLES=/sbin/iptables echo 1 > /proc/sys/net/ipv4/ip_forward # Flush nat table $IPTABLES -t nat -F $IPTABLES -F # tcpproxy $IPTABLES -t nat -A PREROUTING --dst 10.0.2.2 -p tcp --dport 8443 -j DNAT --to-destination 10.152.3.56:8443 ## Don't need this line anymore, replace with a MASQUERADE target #$IPTABLES -t nat -A POSTROUTING --dst 10.152.3.56 -p tcp --dport 8443 - j SNAT --to-source 10.0.2.2 $IPTABLES -t nat -A OUTPUT --dst 10.0.2.2 -p tcp --dport 8443 -j DNAT --to-destination 10.152.3.56:8443 $IPTABLES -t nat -A PREROUTING --dst 192.168.0.3 -p tcp --dport 8443 -j DNAT --to-destination 10.152.3.56:8443 $IPTABLES -t nat -A OUTPUT --dst 192.168.0.3 -p tcp --dport 8443 -j DNAT --to-destination 10.152.3.56:8443 $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE On Wed, Jul 21, 2010 at 05:32:56AM -0700, nseritti wrote: > Dan, > > Here is the routing table: > > r...@system:~# netstat -nr > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window > irtt Iface > 10.152.3.1 0.0.0.0 255.255.255.255 UH 0 0 > 0 eth0 > 10.152.3.0 10.0.2.1 255.255.255.0 UG 0 0 > 0 eth0 > 10.0.1.0 10.152.3.1 255.255.255.0 UG 0 0 > 0 eth0 > 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth1 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 > 0 eth0 > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 > 0 eth1 > > The site to site is handled by a Cisco ASA at 10.0.2.1 allowing the > eth0 network 10.0.2.2 system to route to the 10.152.3.0/24 > > > > > On Jul 21, 7:48 am, Daniel Eggleston <[email protected]> wrote: > > On Tue, 20 Jul 2010 20:43:52 -0700 (PDT) > > > > > > > > nseritti <[email protected]> wrote: > > > Hi, > > > > > I seem to be having trouble setting up an iptables proxy > > > > > My network looks like this: > > > > > Target system: > > > > > 10.152.3.56:8443 > > > > > Internal System: > > > eth0: 10.0.2.2 > > > eth1: 192.168.0.3 > > > > > eth0 is connected to 10.152.3.0/24 network via site to site VPN > > > > > What I'm trying to do is allow users on the 192.168.0.0/24 network to > > > point to 192.168.0.3:8443 and forward those requests to 10.152.3.56 > > > via eth0. > > > > > My current ruleset allows me to access the target system via eth0, > > > however applying a similar ruleset to eth1 does not work. Below is the > > > script I'm currently running which works on if connecting from the > > > local system to it's eth0 address. > > > > > #!/bin/sh > > > # TCP Proxy using IPTables > > > > > IPTABLES=/sbin/iptables > > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > > # Flush nat table > > > $IPTABLES -t nat -F > > > $IPTABLES -F > > > > > # tcpproxy > > > $IPTABLES -t nat -A PREROUTING --dst 10.0.2.2 -p tcp --dport 8443 -j > > > DNAT --to-destination 10.152.3.56:8443 > > > $IPTABLES -t nat -A POSTROUTING --dst 10.152.3.56 -p tcp --dport 8443 > > > - j SNAT --to-source 10.0.2.2 > > > $IPTABLES -t nat -A OUTPUT --dst 10.0.2.2 -p tcp --dport 8443 -j DNAT > > > --to-destination 10.152.3.56:8443 > > > > > Any help would be appreciated. > > > > > Thanks, > > > > > Nick > > > > We're missing some info. You're SNAT-ing to a physical ethernet > > adapter, when you should be SNAT-ing to the vpn net dev you didn't > > mention. > > > > Post the output of these commands: > > > > ifconfig > > netstat -rn > > -- > You received this message because you are subscribed to the Linux Users Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup
pgpwYnpZXWWte.pgp
Description: PGP signature
