Iptables – forwarding packet from one interface to another interface

ip-forwardingiptableslinux-networkingport-forwardingrouter

I have an embeded system with 2 interfaces e0 and m0, whose ips are 10.0.0.20 and 192.168.0.20, respectively.
Incoming packets into e0 have an ip of 10.0.0.10 and should be forwarded to m0 interface to external server whose ip is 10.0.0.30. Also, the returning traffic into m0 should be returned to e0.

I tried to forward packets with these commands:

route add -net 10.0.0.0/16 dev m0

iptables -t nat -A PREROUTING -d 10.0.0.30 -j DNAT –to-destination 192.168.0.20

iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j SNAT –to-source 10.0.0.20

I did tcpdump at m0 but don't see anyting going out.

Can you tell me what I am missing? Thank you in advance.

Best Answer

Perhaps you need to turn on forwarding in the kernel with:

sysctl -w net.ipv4.ip_forward=1

Related Solutions

Linux – Forward HTTP Traffic to Another IP Address with iptables

There are three potential problems I see (contary to the other answer I don't see anything that would cause a "loop" even in the unedited version of your question).

IP forwarding must be enabled.
After being natted and placed back on the network the packet may fall victim to source address filtering as it looks very much like a spoofed packet.
Responses to packets that go through a NAT must go through the same NAT so the reverse translation can be performed. Otherwise the client will get a response with the wrong source IP/port which it is likely to drop (if it has not already been dropped by reverse path filtering).

You can work arround points 2 and 3 by using a SNAT or MASQURADE rule in addition to the DNAT but if you do that then you lose the original source IP of the traffic. That will make abuse control very difficult.

Another soloution to points 2 and 3 would be to set up a VPN between the two servers. Then use DNAT to forward traffic over the VPN and source IP based routing to bring the replies back to the NAT.

Iptables – ebtables/iptables/bridge-utils: PREROUTING/FORWARD issue on single-NIC bridge

When filtering on a bridge i think you need to use a different match for the interface in/out, in your case, in i understand your setup correctly, something like

iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -m physdev --physdev-out eth0 -j MASQUERADE

I don't think you need to enable ip_forward ... this is a bridge afterall

last but not least

echo 1 > net.bridge.bridge-nf-call-iptables

make sure this is enabled , but it should by default.

Best Answer

Related Solutions

Linux – Forward HTTP Traffic to Another IP Address with iptables

Iptables – ebtables/iptables/bridge-utils: PREROUTING/FORWARD issue on single-NIC bridge

Related Topic