Very Computer

Hey there,

Well, I stayed up later than I'd like to admit last night trying to get
port forwarding to work.  All I want the linux box to do is forward port
80 (web traffic of course...) from the external interface to a box on
the inside interface's LAN.

For troubleshooting, I've stripped out all of my SNAT config, set the
policies to ACCEPT for every chain, and used the following:

iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to
10.0.0.11:80

where 1.2.3.4 is the outside address and 10.0.0.11 is the inside
address.

When I go to 1.2.3.4 with a webbrowser from another server on the
outside, and then do "ipchains -t nat -L -v" I can see that the packet
hit the rule, but the webbrowser times out.  From there, I have no idea
where the packet is getting lost.  At this point, I'm not trying to be
secure, I'm just trying to get the damn thing to work. ;-)  I can make
it secure later... (crawl before you walk, etc)

Any help will be much appreciated, as I've already spent more time on
this than I would have liked to (doesn't it always seem that way?).  If
you have port 80 forwarding--or any port for that matter--working and
could send me your script, I'd appreciate that also.

Thanks,
Kevin

Kevin

Man page shows the DNAT option -j DNAT --to-destination IP:PORT
maybe --to isn't enough??

Quote:> iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to
> 10.0.0.11:80

I tried it and it didn't have any affect--I've seen "--to" used in several
scripts so it seems to be a recognized shortening of the switch.

The rule seems to be working since every hit to port 80 on the external
interface hits that rule.  From there, I have no idea what's happening.

I checked the webserver with netstat and the packet never makes it.  I may
have to get a packet sniffer and see if anything even leaves the internal
interface of the linux box.

Maybe I'm missing an extra rule, but everything I've seen says I only need
that one line.

BTW--this is a RH 7.1 box if that helps...

Thanks,
Kevin

Hi!,

Quote:> I tried it and it didn't have any affect--I've seen "--to" used in several
> scripts so it seems to be a recognized shortening of the switch.

> The rule seems to be working since every hit to port 80 on the external
> interface hits that rule.  From there, I have no idea what's happening.

> I checked the webserver with netstat and the packet never makes it.  I may
> have to get a packet sniffer and see if anything even leaves the internal
> interface of the linux box.

> Maybe I'm missing an extra rule, but everything I've seen says I only need
> that one line.

> BTW--this is a RH 7.1 box if that helps...

Check to make sure that you have got IP forwarding enabled in the
/etc/sysctl.conf file on the RH7.1 box and that the other box which you are
sending the packet to is capable of getting a packet back onto the internet
via a MASQ'ed connection.  I have used the command in the past and it has
worked without any major problems.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

Thanks for the help guys.  After digging around with TCPDump, I discovered
that the DNAT rule was trying to send packets to the internal server out of
the *external* interface.  Doh.

Anyway, for all those people having trouble, here's a base config that
(*cough*) should work.  This was on a Redhat 7.1 system.  eth0 is external,
eth1 is internal.  x.x.x.x is the external IP.  y.y.y.y is the internal IP
of the server you're forwarding packets to..

#DNAT
 iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -i eth0 -j DNAT
--to y.y.y.y:80
#SNAT
 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.x.x.x

Hope this helps,
Kevin