[tlug] Question on iptables and port forwarding

["Stephen J. Turnbull" <stephen@example.com>]

Ian Barwick writes:

 > I have two machines on the same local network, 192.168.2.6 and 192.168.2.7
 > and I want to forward say TCP connections to 192.168.2.7:12345 to 192.168.2.6:80
 > (just for the hell of it, it's Friday ;) ).
 > 
 > All available sources indicate I should be doing something like this
 > (on 192.168.2.7):
 > 
 > iptables -A PREROUTING  -i eth0 -t nat -p tcp --dport 12345 -m state
 > --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.2.6:80
 > iptables -A FORWARD -i eth0 -p tcp --dport 80 -m state --state
 > NEW,ESTABLISHED,RELATED -j ACCEPT

First, get rid of the state stuff until you have it working without
filtering on state.  (In any case, the nat table only is consulted for
NEW connections.)  BTW, I have the feeling that whatever source you
have consulted is best used for kindling campfires; this looks like
cargo-cult programming to me.

Second, if you're trying to test access to 192.168.2.7:12345 from
192.168.2.7, it's not going to work because locally-generated packets
don't go through the PREROUTING chain (if IIUC the man page).  You
probably want the POSTROUTING chain, because that is consulted for
both locally and remotely generated packets (same caveat).

I don't think the FORWARD chain is relevant here (especially not if
PREROUTING is supposed to work; if so, "-t nat -j DNAT" would mean
that no other rules get a shot at these packets ever).

 > Any ideas what I am doing wrong? Could it be a problem that for the
 > desired setup, 192.168.2.7 is not forwarding from one interface to another?

You have multiple interfaces?  Indeed that could be a problem.  What
does netstat -r say?