How to do SNAT port forwarding on iptables or shorewall?

T

Talyan2020-06-10 20:30:01

linux

Talyan, 2020-06-10 20:30:01

Hello.

Tell me what I'm doing wrong.
I have interfaces on Debian:
ens18 ip 192.168.1.125/24 - server locale 192.168.1.0/24
ens19 looks to the Internet ABCD/24 white IP
ens20 ip 192.168.10.250 looks to telephony locale 192.168.10.0/24

Story:

После перезагрузки нашего компа-шлюза в офисе у нас потерял доступ к сети телефонии чувак, который обслуживает АТСку в подсети 192.168.10.3. Все правила были настроены shorewall'ом. Шлюз стоял без перезагрузки миллион лет, и скорее всего 10 поколений работников назад кто-то вручную влепил в сформированные шореволлом правила iptables правила перенаправления внешнего порта A.B.C.D:4890 на 192.168.10.3:4899 для RAdmin.

The gateway has rebooted after a long power outage. Now everything works except RAdmin from the outside.

I seem to be doing it right (on a test virtual machine where there are no more rules, and where everything is ACCEPT:

iptables -A FORWARD -j ACCEPT
iptables -t nat -A PREROUTING -d A.B.C.D/32 -p tcp -m tcp --dport 4899 -j DNAT --to-destination 192.168.10.3:4899
iptables -t nat -A POSTROUTING -d 192.168.10.3/32 -o ens20 -p tcp -m tcp --dport 4899 -j SNAT --to-source A.B.C.D

But nothing works.
If you do it from the left external ip
nmap A.B.C.D -p4899
That shows
4899 RAdmin <b>filtered</b>
That is, I get REJECT
Moreover, after applying these rules, even from the gateway itself I get filtered on this port from the ATS, although before applying the rules, the status was opened .

I don't understand what's the matter.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

G

galaxy, 2020-06-10
@galaxy

iptables -t nat -A POSTROUTING -d 192.168.10.3/32 -o ens20 -p tcp -m tcp --dport 4899 -j SNAT --to-source ABCD

It's not necessary.

A

Andrey Barbolin, 2020-06-10
@dronmaxman

Show the output after applying your rules.
sudo iptables -nvL
sudo iptables -nvL -t nat