I have the following configuration:
ServerA: 192.168.168.200
ServerB: 172.23.10.10
They are separated by a RedHat box I'm trying to configure as a NAT device.
The box is configured as follows:
eth0: 172.23.10.1
eth1: 192.168.168.254
eth1:0: 192.168.168.10
I am trying to allow ServerA to only communicate with ServerB using the 192.168.168.10 address which should map via NAT to the 172.23.10.10 address.
ServerA (192.168.168.x) <-NAT ServerB (172.23.10.x)
I have configured the following iptables rule only on the RedHat box:
iptables -t nat -A PREROUTING -d 192.168.168.10 -j DNAT --to-destination 172.23.10.10
This appears to successfully implement the NAT translation. For example, when I ping 192.168.168.10 from ServerA it successfully reaches ServerB on it's 172.23.10.10 interface (and receives the response).
THE PROBLEM is that ServerA is still able to reach ServerB directly over 172.23.10.10, which I want to disallow.
How can I keep this NAT mapping in place, while blocking access to the actual destination address?
You didn't paste your full iptables output (iptables -vL -n nat), so this is a guess, but I'm betting, since it's RHEL, that your PREROUTING table has the default "ACCEPT" policy, so the traffic is skipping the NAT line, hitting the policy, and being accepted.
try:
iptables -n nat -P PREROUTING DROP