iptables - Reply Forwarding Error / Destination unreachable
Posted: Mon May 04, 2015 9:11 am
Hallo,
i would like to route a VNC Connection from a PC(VNC-Client) over a Raspberry-PI(with 2 Network Interfaces) to a SPS(VNC-Server)
VNC Port: >= TCP 5900
PC/VNC-Client(192.168.56.48) VNC Client <--> RaspberryPI(eth1:192.168.70.197) <--> (eth0:10.0.0.2) <--> SPS/VNC-Server(10.0.0.1).
For my first test i use icmp(ping) instead of VNC. My routing commands:
LOCAL_IFACE=eth0
INET_IFACE=eth1
INET_ADDRESS=192.168.70.197
LOCAL_ADDRESS=10.0.0.2
#PC-->SPS
iptables -t nat -A POSTROUTING -o $LOCAL_IFACE -j MASQUERADE
iptables -A FORWARD -i $INET_IFACE -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p icmp -i $INET_IFACE -j DNAT --to-destination 10.0.0.1
#PC<--SPS
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT
iptables -t nat -A PREROUTING -p icmp -i $LOCAL_IFACE -o $INET_IFACE -j DNAT --to-destination 192.168.56.48
Wireshark (Raspberry PI eth0 & eth1 filter icmp):
No. Time Source Destination Protocol Length Info
21 4.538921000 192.168.56.48 192.168.70.197 ICMP 74 Echo (ping) request id=0x0001, seq=21/5376, ttl=127
No. Time Source Destination Protocol Length Info
25 4.540118000 10.0.0.2 10.0.0.1 ICMP 74 Echo (ping) request id=0x0001, seq=21/5376, ttl=126
No. Time Source Destination Protocol Length Info
26 4.540710000 10.0.0.1 10.0.0.2 ICMP 74 Echo (ping) reply id=0x0001, seq=21/5376, ttl=64
No. Time Source Destination Protocol Length Info
32 7.533461000 10.0.0.2 10.0.0.1 ICMP 102 Destination unreachable (Host unreachable) <--------------------------???????????
No. Time Source Destination Protocol Length Info
69 9.489564000 192.168.56.48 192.168.70.197 ICMP 74 Echo (ping) request id=0x0001, seq=22/5632, ttl=127
No. Time Source Destination Protocol Length Info
71 9.489905000 10.0.0.2 10.0.0.1 ICMP 74 Echo (ping) request id=0x0001, seq=22/5632, ttl=126
No. Time Source Destination Protocol Length Info
72 9.490534000 10.0.0.1 10.0.0.2 ICMP 74 Echo (ping) reply id=0x0001, seq=22/5632, ttl=64
No. Time Source Destination Protocol Length Info
86 12.483500000 10.0.0.2 10.0.0.1 ICMP 102 Destination unreachable (Host unreachable) <-----------------------------???????????
My Questions:
Why is the reply not routed to the PC? Where is the error?
How can I route the VNC-connection if the PC has a dynamic IP?
Thanks for your support
Andre
i would like to route a VNC Connection from a PC(VNC-Client) over a Raspberry-PI(with 2 Network Interfaces) to a SPS(VNC-Server)
VNC Port: >= TCP 5900
PC/VNC-Client(192.168.56.48) VNC Client <--> RaspberryPI(eth1:192.168.70.197) <--> (eth0:10.0.0.2) <--> SPS/VNC-Server(10.0.0.1).
For my first test i use icmp(ping) instead of VNC. My routing commands:
LOCAL_IFACE=eth0
INET_IFACE=eth1
INET_ADDRESS=192.168.70.197
LOCAL_ADDRESS=10.0.0.2
#PC-->SPS
iptables -t nat -A POSTROUTING -o $LOCAL_IFACE -j MASQUERADE
iptables -A FORWARD -i $INET_IFACE -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p icmp -i $INET_IFACE -j DNAT --to-destination 10.0.0.1
#PC<--SPS
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT
iptables -t nat -A PREROUTING -p icmp -i $LOCAL_IFACE -o $INET_IFACE -j DNAT --to-destination 192.168.56.48
Wireshark (Raspberry PI eth0 & eth1 filter icmp):
No. Time Source Destination Protocol Length Info
21 4.538921000 192.168.56.48 192.168.70.197 ICMP 74 Echo (ping) request id=0x0001, seq=21/5376, ttl=127
No. Time Source Destination Protocol Length Info
25 4.540118000 10.0.0.2 10.0.0.1 ICMP 74 Echo (ping) request id=0x0001, seq=21/5376, ttl=126
No. Time Source Destination Protocol Length Info
26 4.540710000 10.0.0.1 10.0.0.2 ICMP 74 Echo (ping) reply id=0x0001, seq=21/5376, ttl=64
No. Time Source Destination Protocol Length Info
32 7.533461000 10.0.0.2 10.0.0.1 ICMP 102 Destination unreachable (Host unreachable) <--------------------------???????????
No. Time Source Destination Protocol Length Info
69 9.489564000 192.168.56.48 192.168.70.197 ICMP 74 Echo (ping) request id=0x0001, seq=22/5632, ttl=127
No. Time Source Destination Protocol Length Info
71 9.489905000 10.0.0.2 10.0.0.1 ICMP 74 Echo (ping) request id=0x0001, seq=22/5632, ttl=126
No. Time Source Destination Protocol Length Info
72 9.490534000 10.0.0.1 10.0.0.2 ICMP 74 Echo (ping) reply id=0x0001, seq=22/5632, ttl=64
No. Time Source Destination Protocol Length Info
86 12.483500000 10.0.0.2 10.0.0.1 ICMP 102 Destination unreachable (Host unreachable) <-----------------------------???????????
My Questions:
Why is the reply not routed to the PC? Where is the error?
How can I route the VNC-connection if the PC has a dynamic IP?
Thanks for your support
Andre