View the Most Wanted LQ Wiki articles.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 07-26-2005, 12:35 PM   #1
LQ Newbie
Registered: Apr 2005
Posts: 3

Rep: Reputation: 0
adsl+iptables+port forward+"-m tcp" strange problem

adsl+iptables+port forward+"-m tcp" strange problem
I.state the situation
i'm using a iptables gateway dialing up adsl connection to connect the internet,
and port forwad LAN services to the internet, the classic situation.

when i use DNAT with "-m tcp" , it works fine:
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12000 -j DNAT --to

but, without "-m tcp" , it's all over , failed.
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 12000 -j DNAT --to

In the formal/informal docs of netfilter i have read, i cant find anything about "-m tcp" ,but almost every DNAT uses this option

I guess without "-m tcp" the static IP situation will work , but without it ,
an adsl connection will not.

Maybe implicit rules do not take effect when using dynamic IP, so the explicit -m tcp must be added.

Anyone could help ? thank a lot!
Old 07-26-2005, 03:43 PM   #2
Registered: Oct 2003
Location: USA
Distribution: Ubuntu
Posts: 216

Rep: Reputation: 30

iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module.

--dport 12000
That is a command option passed to the tcp module.

BTW, an awesome book to pick up is Linux Firewalls
Old 07-26-2005, 09:18 PM   #3
Registered: Jul 2005
Distribution: Debian, Gentoo, self-built [not LFS]
Posts: 109

Rep: Reputation: 15
Try including the port in the DNAT command. Instead of running this:

/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12000 -j DNAT --to

Run this:

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 12000 -j DNAT --to

Notice that the --to address includes the port now. See if that gives you any luck.
Old 07-31-2005, 10:31 PM   #4
LQ Newbie
Registered: Apr 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Thank You

Thank You
And the version WITHOUT "-m tcp" was documented in the official HOW-TO provided by the .
SO , i posted this message.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
"iptables tc" limiting bandwidth for specific port maxut Linux - Enterprise 0 09-09-2004 09:50 AM
strange "screen" problem in fedora core 2 sladinki007 Fedora 0 07-27-2004 08:00 AM
"Opposite" to a "Listening" in Port Lingo General_Tso Linux - Security 6 02-11-2004 12:19 PM
iptables, port forward problem... wildwolf Linux - Security 11 01-12-2004 08:38 AM
iptables port forward problem weazy Linux - Networking 4 03-31-2003 03:49 PM

All times are GMT -5. The time now is 11:39 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration