DNAT / Port Forwarding Problem

nicolas79 · 12-18-2007, 03:17 AM

Hi there,

I have a problem setting up port forwarding using DNAT. I know this topic has been covered in several other posts, and i think i have read all of them and tried fixing my problem. Fact is that it still does not work and therefore i would like to ask you if you have any ideas....

After running the following script i get the error "Could not open a connection to host on port 81" when i telnet on the port 81 of my server. (telnetting to 130.59.138.34:80 from my server works)

iptables script:
*************************

Code:

iptables -t nat -F
iptables -t filter -F
iptables -A PREROUTING -t nat -p tcp --dport 81 -j DNAT --to 130.59.138.34:80
iptables -A FORWARD -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

server facts
************
2.6.18-5-amd64 #1 SMP x86_64 GNU/Linux
iptables v1.3.6
interfaces: eth0 (single ip) and lo

output of iptables -t nat --list
********************************

Code:

> iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp dpt:81 to:130.59.138.34:80 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

output of iptables-save
***************************

Code:

> iptables-save 
# Generated by iptables-save v1.3.6 on Tue Dec 18 09:53:24 2007
*filter
:INPUT ACCEPT [34924:16179522]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35722:30366922]
-A FORWARD -j ACCEPT 
COMMIT
# Completed on Tue Dec 18 09:53:24 2007
# Generated by iptables-save v1.3.6 on Tue Dec 18 09:53:24 2007
*nat
:PREROUTING ACCEPT [1654:97177]
:POSTROUTING ACCEPT [408:24444]
:OUTPUT ACCEPT [405:24300]
-A PREROUTING -p tcp -m tcp --dport 81 -j DNAT --to-destination 130.59.138.34:80 
COMMIT
# Completed on Tue Dec 18 09:53:24 2007

dkm999 · 12-18-2007, 12:48 PM

If you are running SELinux, the protection rules may be getting in your way. You might check for syslog messages saying something about telnet and a denial for a privileged port. This access violation will only occur when you attempt the connection from a process on your firewall; an outside requestor will fly through without impediment, getting remapped to port 80 on your internal server.

If this is your problem, you will need to use the SELinux Management stuff to create the necessary ruleset to permit the (non-standard) access.

win32sux · 12-18-2007, 06:37 PM

If these rules are running on the server itself, then you wanna use the REDIRECT target, not the DNAT one. If these rules are running on a dedicated firewall in front of the server, then you are missing a POSTROUTING rule targetting SNAT or MASQUERADE.

nicolas79 · 12-19-2007, 02:09 AM

Quote:

Originally Posted by dkm999

If you are running SELinux, the protection rules may be getting in your way. You might check for syslog messages saying something about telnet and a denial for a privileged port. This access violation will only occur when you attempt the connection from a process on your firewall; an outside requestor will fly through without impediment, getting remapped to port 80 on your internal server.

If this is your problem, you will need to use the SELinux Management stuff to create the necessary ruleset to permit the (non-standard) access.

Thank you for the hint, but i am not using SELinux. I am using Debian Etch without special Addons.

nicolas79 · 12-19-2007, 02:19 AM

Quote:

Originally Posted by win32sux

If these rules are running on the server itself, then you wanna use the REDIRECT target, not the DNAT one. If these rules are running on a dedicated firewall in front of the server, then you are missing a POSTROUTING rule targetting SNAT or MASQUERADE.

Thank you for the post.

I have added

Code:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and now the redirect works!!!!

I am quite surprised about that since i read that you don't need a POSTROUTING rule for port forwarding. (http://linux-ip.net/html/nat-dnat.html).

If anyone could explain this to me i would be very interested.

win32sux · 12-19-2007, 07:42 AM

Quote:

Originally Posted by nicolas79

If anyone could explain this to me i would be very interested.

The DNAT rule changes the destination on the inbound packets. The SNAT/MASQUERADE rule changes the source on the outbound packets, since the packets returning from the server to the client need to have their LAN source IPs changed into the WAN IP of the firewall. To the client everything looks like he's only dealing with the firewall.