I've been trying to solve this on my own for a few days now. I'm now at the point where I'm frustrated enough to ask for help. So here's my setup. I've got a machine acting as a bridge using ebtables, as well as acting as a gateway. The bridge simply goes from my school's network to my machines, same subnet, nothing is done with those packets. Now there's also a vpn to another network set up on this same machine. This box acts as a gateway between my machines and this vpn network. In that sense, it's working. However, I need to forward ports to my machines. That is forward them so the people on the vpn network can get to services running on my machines. I can't get this to work. The vpn network is on a completely different subnet, hence the need for nat and port forwarding. Please, if anyone has any experience with itpables and port forwarding, I could really use your help. Below is my current iptables script.


iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

iptables -t nat -A PREROUTING -i tap0 -p tcp -j DROP
iptables -t nat -A PREROUTING -i tap0 -p udp -j DROP
iptables -t nat -A PREROUTING -i tap0 -p icmp -j ACCEPT
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 81 -j DNAT --to 192.168.1.194:81
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 6000 -j DNAT --to 192.168.1.194:6000
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 22 -j DNAT --to 192.168.1.194:22
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 21 -j DNAT --to 192.168.1.194:21

I haven't figured out everything you are trying to do, but your PREROUTING rules look very strange. Remember that rules in any chain are tested in sequence until a match is made with a rule containing a jump (-j) command.

In your case, you are *immediately* dropping all udp and tcp packets from tap0. Then you are accepting (*without* DNATing) all icmp packets from that interface. So tcp packets will not even make it to the rules where you actually DNAT!

My guess is you want to either eliminate the first three PREROUTING rules or move them after the DNAT rules.

and the masquerade line should be last.

but it's more a routing problem you are having imo. it's pretty hard to debug your situation with so little details about ur setup.

you shouldnt have to do any port forwarding, if ppl can ping your machine. since you are in the same network. try putting firewall down to see if it works. service iptables stop

even though i'm having a hard time understanding your situation even after reading your post twice, i do believe you should probably get rid of these three rules...

Masquerade is in a different chain, so it doesn't matter where that command is in the script.

Thanks for everyone's input. It was just removing those three lines that did it. I apologize for any confusion about what I'm doing. It's not your ordinary linux router.