LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-18-2007, 03:17 AM   #1
nicolas79
LQ Newbie
 
Registered: Dec 2007
Posts: 3

Rep: Reputation: 0
Unhappy DNAT / Port Forwarding Problem


Hi there,

I have a problem setting up port forwarding using DNAT. I know this topic has been covered in several other posts, and i think i have read all of them and tried fixing my problem. Fact is that it still does not work and therefore i would like to ask you if you have any ideas....


After running the following script i get the error "Could not open a connection to host on port 81" when i telnet on the port 81 of my server. (telnetting to 130.59.138.34:80 from my server works)

iptables script:
*************************
Code:
iptables -t nat -F
iptables -t filter -F
iptables -A PREROUTING -t nat -p tcp --dport 81 -j DNAT --to 130.59.138.34:80
iptables -A FORWARD -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
server facts
************
2.6.18-5-amd64 #1 SMP x86_64 GNU/Linux
iptables v1.3.6
interfaces: eth0 (single ip) and lo

output of iptables -t nat --list
********************************
Code:
> iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp dpt:81 to:130.59.138.34:80 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
output of iptables-save
***************************
Code:
> iptables-save 
# Generated by iptables-save v1.3.6 on Tue Dec 18 09:53:24 2007
*filter
:INPUT ACCEPT [34924:16179522]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35722:30366922]
-A FORWARD -j ACCEPT 
COMMIT
# Completed on Tue Dec 18 09:53:24 2007
# Generated by iptables-save v1.3.6 on Tue Dec 18 09:53:24 2007
*nat
:PREROUTING ACCEPT [1654:97177]
:POSTROUTING ACCEPT [408:24444]
:OUTPUT ACCEPT [405:24300]
-A PREROUTING -p tcp -m tcp --dport 81 -j DNAT --to-destination 130.59.138.34:80 
COMMIT
# Completed on Tue Dec 18 09:53:24 2007
 
Old 12-18-2007, 12:48 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
If you are running SELinux, the protection rules may be getting in your way. You might check for syslog messages saying something about telnet and a denial for a privileged port. This access violation will only occur when you attempt the connection from a process on your firewall; an outside requestor will fly through without impediment, getting remapped to port 80 on your internal server.

If this is your problem, you will need to use the SELinux Management stuff to create the necessary ruleset to permit the (non-standard) access.
 
Old 12-18-2007, 06:37 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
If these rules are running on the server itself, then you wanna use the REDIRECT target, not the DNAT one. If these rules are running on a dedicated firewall in front of the server, then you are missing a POSTROUTING rule targetting SNAT or MASQUERADE.
 
Old 12-19-2007, 02:09 AM   #4
nicolas79
LQ Newbie
 
Registered: Dec 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by dkm999 View Post
If you are running SELinux, the protection rules may be getting in your way. You might check for syslog messages saying something about telnet and a denial for a privileged port. This access violation will only occur when you attempt the connection from a process on your firewall; an outside requestor will fly through without impediment, getting remapped to port 80 on your internal server.

If this is your problem, you will need to use the SELinux Management stuff to create the necessary ruleset to permit the (non-standard) access.
Thank you for the hint, but i am not using SELinux. I am using Debian Etch without special Addons.
 
Old 12-19-2007, 02:19 AM   #5
nicolas79
LQ Newbie
 
Registered: Dec 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
If these rules are running on the server itself, then you wanna use the REDIRECT target, not the DNAT one. If these rules are running on a dedicated firewall in front of the server, then you are missing a POSTROUTING rule targetting SNAT or MASQUERADE.
Thank you for the post.

I have added

Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
and now the redirect works!!!!

I am quite surprised about that since i read that you don't need a POSTROUTING rule for port forwarding. (http://linux-ip.net/html/nat-dnat.html).

If anyone could explain this to me i would be very interested.
 
Old 12-19-2007, 07:42 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by nicolas79 View Post
If anyone could explain this to me i would be very interested.
The DNAT rule changes the destination on the inbound packets. The SNAT/MASQUERADE rule changes the source on the outbound packets, since the packets returning from the server to the client need to have their LAN source IPs changed into the WAN IP of the firewall. To the client everything looks like he's only dealing with the firewall.
 
  


Reply

Tags
dnat, forwarding, iptables, port


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Port Forwarding with IPTables & DNAT MercurioBlue Linux - Networking 2 08-24-2006 11:17 PM
Help with iptables/DNAT/forwarding lohb1ac Linux - Networking 2 12-05-2005 08:48 AM
Port Forwarding using iptables-DNAT radupastia Linux - Networking 2 07-18-2003 02:14 AM
IPTables - DNAT, SNAT, port forwarding FunkFlex Linux - Security 2 01-15-2002 07:18 PM
DNAT Help(port forwarding) jrmann1999 Linux - Networking 1 08-09-2001 10:58 PM


All times are GMT -5. The time now is 05:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration