Skip to main content

iptables - Port forwarding from one interface to another.

Setting iptables - Port forwarding.

Current scenario.
  1. We have 2 Networks 192.168.0.0/24 which is a private network. 172.14.14.0/24 which is the Edge node network, which can communicate to the Active Directory.
  2. We have Edge node, which have 2 Interfaces. eth0 for 172.14.14.0/24 network which can communicate to Active Directory, Another is eth1 for 192.168.0.0/24 which communicates with all the internal nodes.
  3. Now, when the internal nodes which reside on the 192.168.0.0/24 network wants to authenticate from AD then it has to communicate to EDGE node which will port forward these request to the AD.
NOTE: There is no bridge between 172.14.14.237 and 192.168.0.10 interfaces.
iptables configuration used on EDGE.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 88 -j DNAT --to-destination 172.14.14.174:88
iptables -t nat -A PREROUTING -p udp -m udp --dport 88 -j DNAT --to-destination 172.14.14.174:88
iptables -t nat -A POSTROUTING -d 172.14.14.174/32 -p tcp -m tcp --dport 88 -j SNAT --to-source 172.14.14.237
iptables -t nat -A POSTROUTING -d 172.14.14.174/32 -p udp -m udp --dport 88 -j SNAT --to-source 172.14.14.237
iptables -t nat -A POSTROUTING -d 172.14.14.237/32 -p tcp -m tcp --dport 88 -j SNAT --to-source 192.168.0.10
iptables -t nat -A POSTROUTING -d 172.14.14.237/32 -p udp -m udp --dport 88 -j SNAT --to-source 192.168.0.10
Here is little more explanation about the iptables config used.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport  -j DNAT --to-destination :
iptables -t nat -A PREROUTING -p udp -m udp --dport  -j DNAT --to-destination :
iptables -t nat -A POSTROUTING -d /32 -p tcp -m tcp --dport  -j SNAT --to-source 
iptables -t nat -A POSTROUTING -d /32 -p udp -m udp --dport  -j SNAT --to-source 
iptables -t nat -A POSTROUTING -d /32 -p tcp -m tcp --dport  -j SNAT --to-source 
iptables -t nat -A POSTROUTING -d /32 -p udp -m udp --dport  -j SNAT --to-source
Check updated configuration.
[root@server-edge ~]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:88 to:172.14.14.174:88
2    DNAT       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:88 to:172.14.14.174:88

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       tcp  --  0.0.0.0/0            172.14.14.174       tcp dpt:88 to:172.14.14.237
2    SNAT       udp  --  0.0.0.0/0            172.14.14.174       udp dpt:88 to:172.14.14.237
3    SNAT       tcp  --  0.0.0.0/0            172.14.14.237       tcp dpt:88 to:192.168.0.10
4    SNAT       udp  --  0.0.0.0/0            172.14.14.237       udp dpt:88 to:192.168.0.10

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Trying to telnet to port 88 from slave node. Here we connect to 192.168.0.10 which forward the port to 172.14.14.237, which inturn forward to 172.14.14.174.
[root@waepprrkhd001 ~]# telnet 192.168.0.10 88
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
Labels:

Comments

Post a Comment

Popular posts from this blog

Cloudera Manager - Duplicate entry 'zookeeper' for key 'NAME'.

We had recently built a cluster using cloudera API’s and had all the services running on it with Kerberos enabled. Next we had a requirement to add another kafka cluster to our already exsisting cluster in cloudera manager. Since it is a quick task to get the zookeeper and kafka up and running. We decided to get this done using the cloudera manager instead of the API’s. But we faced the Duplicate entry 'zookeeper' for key 'NAME' issue as described in the bug below. https://issues.cloudera.org/browse/DISTRO-790 I have set up two clusters that share a Cloudera Manger. The first I set up with the API and created the services with capital letter names, e.g., ZOOKEEPER, HDFS, HIVE. Now, I add the second cluster using the Wizard. Add Cluster->Select Hosts->Distribute Parcels->Select base HDFS Cluster install On the next page i get SQL errros telling that the services i want to add already exist. I suspect that the check for existing service names does n
2 comments
Read more

Zabbix History Table Clean Up

Zabbix history table gets really big, and if you are in a situation where you want to clean it up. Then we can do so, using the below steps. Stop zabbix server. Take table backup - just in case. Create a temporary table. Update the temporary table with data required, upto a specific date using epoch . Move old table to a different table name. Move updated (new temporary) table to original table which needs to be cleaned-up. Drop the old table. (Optional) Restart Zabbix Since this is not offical procedure, but it has worked for me so use it at your own risk. Here is another post which will help is reducing the size of history tables - http://zabbixzone.com/zabbix/history-and-trends/ Zabbix Version : Zabbix v2.4 Make sure MySql 5.1 is set with InnoDB as innodb_file_per_table=ON Step 1 Stop the Zabbix server sudo service zabbix-server stop Script. echo "------------------------------------------" echo " 1. Stopping Zabbix Server &quo
1 comment
Read more

Access Filter in SSSD `ldap_access_filter` [SSSD Access denied / Permission denied ]

Access Filter Setup with SSSD ldap_access_filter (string) If using access_provider = ldap , this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behaviour. Example: access_provider = ldap ldap_access_filter = memberOf=cn=allowed_user_groups,ou=Groups,dc=example,dc=com Prerequisites yum install sssd Single LDAP Group Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com Multiple LDAP Groups Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com)) ldap_access_filter accepts standa
Post a Comment
Read more