IPTABLES: ping and wget work although they does not

2
votes

It seems I don't understand IPTABLES logic.

I reinstalled ubuntu server 11.10 on my server and turned on forwarding (net.ipv4.ip_forward=1 in /etc/sysctl.conf). Server has two network interfaces - eth0 (ip 192.168.1.1) looks to local network and eth1 (ip 213.164.156.130) looks to internet.

There's also another computer in local network with ip 192.168.1.2.

Then I added two simple rules to ITABLE *nat:

-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.2
-A POSTROUTING -o eth1 -j SNAT --to-source 213.164.156.130

I thought that the first rule means forwarding every incoming packet to 192.168.1.2.

But if I run "ping google.com", "wget google.com" from server, they successfully work. Server receives packets and doesn't do forwarding, and I'm really stuck with this.

In case I run these commands from 192.168.1.2 they also work, that means here forwarding works.

1
iptablesforwardingnat

1 Answers

3
votes

These are NAT rules.

In your first rule, address translation occurs before routing the packet. You're changing the destination address to 192.168.1.2 and in the second rule, you're changing the source address before routing to 213.164.156.130.

I'm guessing you can ping & wget because your INPUT and OUTPUT chains have a default action.

TBH, I'm confused about what you actually want to do but if you want to forward packets, you need to modify the FORWARD chain. Here's a link for detailed and helpful information on iptables so you can understand the logic better - Ch14:_Linux_Firewalls_Using_iptables">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch14:_Linux_Firewalls_Using_iptables.