Port forwarding with iptables ???

Port forwarding with iptables ???

Post by Joe Attard » Tue, 11 May 2004 10:41:22



Hi all,

I've read countless posts on this and still can't seem to figure it out.
Here's my situation.

On my Linux router box I have eth0, which is connected to the internal
network 192.168.0.1, and eth1 which is connected to my cable modem and the
Internet. On a machine in my internal network, 192.168.0.254, I am running a
web server on port 8080 and want to forward connections received on the
Linux box from the Internet to be forwarded to 192.168.0.254:8080, so:

eth1:outside internet:8080 --forward--> eth0:192.168.0.254:8080

No matter what I try, I can't get this to work. I flushed all other rules,
set all the policies to ACCEPT, and here are the rules I'm trying to use to
accomplish the forwarding:

 iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet
IP> --dport 8080 -j DNAT --to 192.168.0.254:8080

iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j
ACCEPT

But even with these rules, I just get a 'Connection refused' error.

Can anyone help?

Joe

 
 
 

Port forwarding with iptables ???

Post by Andre Majore » Tue, 11 May 2004 10:49:28



Quote:> On my Linux router box I have eth0, which is connected to the internal
> network 192.168.0.1, and eth1 which is connected to my cable modem and the
> Internet. On a machine in my internal network, 192.168.0.254, I am running a
> web server on port 8080 and want to forward connections received on the
> Linux box from the Internet to be forwarded to 192.168.0.254:8080, so:

> eth1:outside internet:8080 --forward--> eth0:192.168.0.254:8080

> No matter what I try, I can't get this to work. I flushed all other rules,
> set all the policies to ACCEPT, and here are the rules I'm trying to use to
> accomplish the forwarding:

>  iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet
> IP> --dport 8080 -j DNAT --to 192.168.0.254:8080

> iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j
> ACCEPT

> But even with these rules, I just get a 'Connection refused' error.

Can't comment on the rules off the top of my head, but did you

  echo 1 >/proc/sys/net/ipv4/ip_forward

?

--
Andr Majorel <URL:http://www.teaser.fr/~amajorel/>
1, 2, 3... Testing... Does this thing work ?

 
 
 

Port forwarding with iptables ???

Post by Joe Attard » Tue, 11 May 2004 13:24:41


Hi Andre,

I did enable IP forwarding, as I am using this linux router to share the
internet connection across my network. I can get on the internet from the
other machines, so IP forwarding is definitely enabled..

Joe



> > On my Linux router box I have eth0, which is connected to the internal
> > network 192.168.0.1, and eth1 which is connected to my cable modem and
the
> > Internet. On a machine in my internal network, 192.168.0.254, I am
running a
> > web server on port 8080 and want to forward connections received on the
> > Linux box from the Internet to be forwarded to 192.168.0.254:8080, so:

> > eth1:outside internet:8080 --forward--> eth0:192.168.0.254:8080

> > No matter what I try, I can't get this to work. I flushed all other
rules,
> > set all the policies to ACCEPT, and here are the rules I'm trying to use
to
> > accomplish the forwarding:

> >  iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet
> > IP> --dport 8080 -j DNAT --to 192.168.0.254:8080

> > iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport
8080 -j
> > ACCEPT

> > But even with these rules, I just get a 'Connection refused' error.

> Can't comment on the rules off the top of my head, but did you

>   echo 1 >/proc/sys/net/ipv4/ip_forward

> ?

> --
> Andr Majorel <URL:http://www.teaser.fr/~amajorel/>
> 1, 2, 3... Testing... Does this thing work ?

 
 
 

Port forwarding with iptables ???

Post by /dev/rob » Tue, 11 May 2004 14:02:49



> I've read countless posts on this and still can't seem to figure it out.

iptables is not easy to figure out at first, but once you do it gets
easier. :)

Quote:> eth1:outside internet:8080 --forward--> eth0:192.168.0.254:8080
> [snip]
>  iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet
> IP> --dport 8080 -j DNAT --to 192.168.0.254:8080

Did you try running this at the command line? If you had I think you
would have gotten an error here. "man iptables", see the "-o"
parameter: you can't have that in PREROUTING. Take it out.

Check the packet counters as you attempt connections. Do they increment
by one for each attempt? Of course this one won't because it's not in
your NAT table rules.

Quote:> iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j
> ACCEPT

But the ones coming in from the outside (eth1) will NOT be matched.
This is a bad rule too (but it wouldn't get an error.) I'd leave off
the interfaces; obviously the routing table will say that 192.168.0.254
goes out eth0.
--

  or put "not-spam" or "/dev/rob0" in Subject header to reply
 
 
 

Port forwarding with iptables ???

Post by Joe Attard » Wed, 12 May 2004 08:45:09


I did run those at the command line, but I didn't get any errors.
I've tried just about any variant of those rules I could find on the Web or
usenet.

Interestingly, though, one test I did was instead of jupming to DNAT, i
simply jumped to LOG, to see if any packets even were picked up by this
rule, and they were. Every time I sent a request to the port in question it
logged the packets. The same holds true for the FORWARD rule. So the packets
are matching... but... ugh, I dunno. :-)

Joe



> > I've read countless posts on this and still can't seem to figure it out.

> iptables is not easy to figure out at first, but once you do it gets
> easier. :)

> > eth1:outside internet:8080 --forward--> eth0:192.168.0.254:8080
> > [snip]
> >  iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet
> > IP> --dport 8080 -j DNAT --to 192.168.0.254:8080

> Did you try running this at the command line? If you had I think you
> would have gotten an error here. "man iptables", see the "-o"
> parameter: you can't have that in PREROUTING. Take it out.

> Check the packet counters as you attempt connections. Do they increment
> by one for each attempt? Of course this one won't because it's not in
> your NAT table rules.

> > iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport
8080 -j
> > ACCEPT

> But the ones coming in from the outside (eth1) will NOT be matched.
> This is a bad rule too (but it wouldn't get an error.) I'd leave off
> the interfaces; obviously the routing table will say that 192.168.0.254
> goes out eth0.
> --

>   or put "not-spam" or "/dev/rob0" in Subject header to reply

 
 
 

1. port forwarding with iptables

Hi there,
I want to forward a high port onto port 23 in my linux box for remote
telnet.
I can set up basic nat but not port forwarding - how do I do this?
I tried:
iptables -I FORWARD -p tcp --dport XXX -j ACCEPT
iptables -I PREROUTING -t nat -p tcp --dport XXX -j DNAT --to
192.168.0.201:23
Any suggestions?
Thanks
Allan

2. Information on ISDN Modems

3. Port forwarding with iptables not working

4. How to catch tar output

5. port forwarding with iptables

6. Need help configuring cyclades multiport card

7. Port Forwarding with iptables

8. REV to 486 (Evergreen)

9. Port Forwarding with iptables...

10. need help on port forward using iptables.

11. Port forwarding and iptables

12. Port Forwarding with iptables (sorry for first half post, sent by mistake)

13. Web port forward using iptables