Board index Linux Networking

iptables port forwarding problem

iptables port forwarding problem

Post by Drak » Sat, 17 Nov 2001 06:13:23



Hi all,

  I  am having problems forwarding packets so they go through my NAT
box onto one of my masqued machines.... I am using kernel 2.4.x with
iptables.  let's say that for my nat box, the external ip is
24.24.24.24 ( eth0 )  and  the internal is 10.0.0.1  ( eth1 ) and the
masqued machine i want to forward to is 10.0.0.2:6969 , where an ftp
server is listening for connections.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 24.24.24.24

works great and give  10.0.0.2 access to the internet... but

iptables -t nat -A PREROUTING -p tcp --dport 6969 -i eth0 --to
10.0.0.2:6969

appears to work , and is listed when i do a " iptables -t nat - L"

but if i try to connect to 24.24.24.24:6969

i get:  Unable to connect to remote host: Connection refused

what is going on here ??

Dan

______________________________________________________________________
Posted Via Uncensored-News.Com - Still Only $9.95 - http://www.uncensored-news.com
   With NINE Servers In California And Texas - The Worlds Uncensored News Source

 
 
 
Top

iptables port forwarding problem

Post by Dean Thompso » Sat, 17 Nov 2001 21:50:51


Hi!,

Quote:>   I  am having problems forwarding packets so they go through my NAT
> box onto one of my masqued machines.... I am using kernel 2.4.x with
> iptables.  let's say that for my nat box, the external ip is
> 24.24.24.24 ( eth0 )  and  the internal is 10.0.0.1  ( eth1 ) and the
> masqued machine i want to forward to is 10.0.0.2:6969 , where an ftp
> server is listening for connections.

> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 24.24.24.24

> works great and give  10.0.0.2 access to the internet... but

> iptables -t nat -A PREROUTING -p tcp --dport 6969 -i eth0 --to
> 10.0.0.2:6969

> appears to work , and is listed when i do a " iptables -t nat - L"

> but if i try to connect to 24.24.24.24:6969

> i get:  Unable to connect to remote host: Connection refused

> what is going on here ??

Personally, I would be using the -DNAT functionality to do the port forarding
on your MASQ'ing server, and if you are trying to provide IP Masquerading
facilities then you will want to use the MASQUERADE option for iptables.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 
Top

1. Iptables port forwarding problem

Good...

I have set up iptables using firewall builder (fwbuilder.sourceforge.org),
and everything seems to be working except port forwarding. I couldn't find
an anwser on google, so maybe on of you guys can figure this one out.

My setup is like this : LAN --> eth1 --> eth0 --> ppp0

This is (the most interesting part of) the script generated by fwbuilder :

#
#  Rule 0(NAT)
#
#
$IPTABLES -t nat -A PREROUTING  -p tcp   --destination-port 8080 -j
DNAT --to-destination 192.168.0.20:8080
#
#  Rule 1(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 192.168.0.1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 192.168.0.2 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 192.168.0.0/24 -j MASQUERADE
#
#

$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Rule 0(lo)
#
# allow everything on loopback
#
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A FORWARD  -i lo -j ACCEPT
$IPTABLES -A OUTPUT  -o lo -j ACCEPT
$IPTABLES -A FORWARD  -o lo -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -A OUTPUT -p tcp  -d 192.168.0.1  --destination-port 8080  -m
state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp  -d 192.168.0.2  --destination-port 8080  -m
state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp  --destination-port 8080  -m state --state NEW -j
ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -A OUTPUT -p icmp  -d 192.168.0.1  -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp  -d 192.168.0.2  -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp  -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
# firewall uses DNS server on LAN
#
$IPTABLES -A INPUT -p udp  -s 192.168.0.1  --destination-port 53  -m
state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp  -s 192.168.0.2  --destination-port 53  -m
state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp  -d 192.168.0.1  --destination-port 53  -m
state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp  -d 192.168.0.2  --destination-port 53  -m
state --state NEW -j ACCEPT
#
# Rule 3(global)
#
# 'masquerading' rule
#
$IPTABLES -A INPUT  -s 192.168.0.1  -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.0.2  -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.0.0/24  -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD  -s 192.168.0.0/24  -m state --state NEW -j ACCEPT
#
# Rule 4(global)
#
# 'catch all' rule
#
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

Hope you see the problem because this one is driving me crazy :/.

Thnx!

2. Panic in i810

3. iptables port forwarding problem

4. lilo problems with 19GB IDE drive

5. unusual iptables port forwarding problem

6. Need help with RPC question

7. IPTables and a simple script to port forward port 80

8. Help: Linux crashed!

9. iptables smtp port forwarding problem

10. Problems iptable port forwarding

11. iptables, SNAT/DNAT, port forwarding problems.

12. iptables dnat port forwarding problems

13. Redirect problem with iptables and port forwarding


All times are UTC
Board index