Thanks Dan, this works perfectly, if you have a few moments, can you describe line by line what the additions do?
Also, if you could, what would need to be done to block all traffic to the eth1 interface except for the 8443? Thanks again, Nick On Jul 21, 9:57 am, Daniel Eggleston <[email protected]> wrote: > OK, this should be pretty simple then, let me know if this works: > > #!/bin/sh > # TCP Proxy using IPTables > > IPTABLES=/sbin/iptables > > echo 1 > /proc/sys/net/ipv4/ip_forward > > # Flush nat table > $IPTABLES -t nat -F > $IPTABLES -F > > # tcpproxy > $IPTABLES -t nat -A PREROUTING --dst 10.0.2.2 -p tcp --dport 8443 -j DNAT > --to-destination 10.152.3.56:8443 > ## Don't need this line anymore, replace with a MASQUERADE target > #$IPTABLES -t nat -A POSTROUTING --dst 10.152.3.56 -p tcp --dport 8443 - j > SNAT --to-source 10.0.2.2 > $IPTABLES -t nat -A OUTPUT --dst 10.0.2.2 -p tcp --dport 8443 -j DNAT > --to-destination 10.152.3.56:8443 > > $IPTABLES -t nat -A PREROUTING --dst 192.168.0.3 -p tcp --dport 8443 -j DNAT > --to-destination 10.152.3.56:8443 > $IPTABLES -t nat -A OUTPUT --dst 192.168.0.3 -p tcp --dport 8443 -j DNAT > --to-destination 10.152.3.56:8443 > $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE > $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > On Wed, Jul 21, 2010 at 05:32:56AM -0700, nseritti wrote: > > Dan, > > > Here is the routing table: > > > r...@system:~# netstat -nr > > Kernel IP routing table > > Destination Gateway Genmask Flags MSS Window > > irtt Iface > > 10.152.3.1 0.0.0.0 255.255.255.255 UH 0 0 > > 0 eth0 > > 10.152.3.0 10.0.2.1 255.255.255.0 UG 0 0 > > 0 eth0 > > 10.0.1.0 10.152.3.1 255.255.255.0 UG 0 0 > > 0 eth0 > > 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 > > 0 eth0 > > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 > > 0 eth1 > > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 > > 0 eth0 > > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 > > 0 eth1 > > > The site to site is handled by a Cisco ASA at 10.0.2.1 allowing the > > eth0 network 10.0.2.2 system to route to the 10.152.3.0/24 > > > On Jul 21, 7:48 am, Daniel Eggleston <[email protected]> wrote: > > > On Tue, 20 Jul 2010 20:43:52 -0700 (PDT) > > > > nseritti <[email protected]> wrote: > > > > Hi, > > > > > I seem to be having trouble setting up an iptables proxy > > > > > My network looks like this: > > > > > Target system: > > > > > 10.152.3.56:8443 > > > > > Internal System: > > > > eth0: 10.0.2.2 > > > > eth1: 192.168.0.3 > > > > > eth0 is connected to 10.152.3.0/24 network via site to site VPN > > > > > What I'm trying to do is allow users on the 192.168.0.0/24 network to > > > > point to 192.168.0.3:8443 and forward those requests to 10.152.3.56 > > > > via eth0. > > > > > My current ruleset allows me to access the target system via eth0, > > > > however applying a similar ruleset to eth1 does not work. Below is the > > > > script I'm currently running which works on if connecting from the > > > > local system to it's eth0 address. > > > > > #!/bin/sh > > > > # TCP Proxy using IPTables > > > > > IPTABLES=/sbin/iptables > > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > > # Flush nat table > > > > $IPTABLES -t nat -F > > > > $IPTABLES -F > > > > > # tcpproxy > > > > $IPTABLES -t nat -A PREROUTING --dst 10.0.2.2 -p tcp --dport 8443 -j > > > > DNAT --to-destination 10.152.3.56:8443 > > > > $IPTABLES -t nat -A POSTROUTING --dst 10.152.3.56 -p tcp --dport 8443 > > > > - j SNAT --to-source 10.0.2.2 > > > > $IPTABLES -t nat -A OUTPUT --dst 10.0.2.2 -p tcp --dport 8443 -j DNAT > > > > --to-destination 10.152.3.56:8443 > > > > > Any help would be appreciated. > > > > > Thanks, > > > > > Nick > > > > We're missing some info. You're SNAT-ing to a physical ethernet > > > adapter, when you should be SNAT-ing to the vpn net dev you didn't > > > mention. > > > > Post the output of these commands: > > > > ifconfig > > > netstat -rn > > > -- > > You received this message because you are subscribed to the Linux Users > > Group. > > To post a message, send email to [email protected] > > To unsubscribe, send email to [email protected] > > For more options, visit our group > > athttp://groups.google.com/group/linuxusersgroup > > > > application_pgp-signature_part > < 1KViewDownload -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup
