Hi,

The image below shows my current setup where the linux box is an FC7 one

http://bionline.biz/images/Doc1.jpg

In the Linux box eth0 is 192.168.0.155/24 and eth1 is 10.4.0.177/16.

I have created one Iptables script as pasted below using the Easy Firewall Generator for iptables. The issue is that, i am not able to reach port 110 on 10.4.0.100 which is my mail server from my pc (192.168.0.151).

At the same time DNAT to an IP address of the same series of eth0 works perfectly.For example if i change the DNAT destination from 10.4.0.100 to 192.168.0.159(again a test mail server) in the script,i am able reach it at port 110 from my PC successfully.

Can anyone please tell me the reason why i am not able to reach 10.4.0.100 at port number 110 form my pc 192.168.0.151 ?

I should be able to reach the mail server(10.4.0.100) by contacting eth0 of the gateway like " telnet 192.168.0.155 110 "

Your help is badly needed....!!!

# Generated by iptables-save v1.3.7 on Thu Aug 23 09:43:47 2007
*mangle
:PREROUTING ACCEPT [515:54335]
:INPUT ACCEPT [3681:310183]
:FORWARD ACCEPT [66:4090]
:OUTPUT ACCEPT [315:91576]
:POSTROUTING ACCEPT [2839:673458]
COMMIT
# Completed on Thu Aug 23 09:43:47 2007
# Generated by iptables-save v1.3.7 on Thu Aug 23 09:43:47 2007
*nat
:PREROUTING ACCEPT [107:25629]
:POSTROUTING ACCEPT [8:480]
:OUTPUT ACCEPT [9:556]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.4.0.100
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.155
COMMIT
# Completed on Thu Aug 23 09:43:47 2007
# Generated by iptables-save v1.3.7 on Thu Aug 23 09:43:47 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:904]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -s 10.4.0.0/255.255.0.0 -i eth1 -j ACCEPT
-A INPUT -d 10.4.255.255 -i eth1 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.4.0.100 -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 10.4.0.177 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -s 10.4.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "Illegal source: "
-A bad_packets -s 10.4.0.0/255.255.0.0 -i eth0 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 469 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Thu Aug 23 09:43:47 2007


Thanks..

Have you tried including the destination port on the mailserver? Like so:See also this thread for port forwarding and iptables:
http://www.linuxquestions.org/questi...d.php?t=287491
As also stated in that thread, log packets before dropping them and review the logging (or hitcount numbers) to see whether stuff gets dropped at all.
Simplify your ruleset for testing purposes ...

Hi muha,

yes, tried but no improvement.If that was the case it would not have get connected while i change the destination IP from 10.4. series to a eth0 seires IP; say 192.168.0.159.

Hope u undesratnd.Anyway i tried in that way also.

Please help..

What about my other suggestions? Are you getting any DROPs or hits on any rules?

Yes...with the current rule i am getting some logs as follows ..but nothing related to 192.168.0.155 as destination..

Aug 23 17:09:54 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=37785 PROTO=UDP SPT=1092 DPT=53 LEN=44
Aug 23 17:10:49 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=38071 PROTO=UDP SPT=1092 DPT=53 LEN=44
Aug 23 17:10:50 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=38076 PROTO=UDP SPT=1092 DPT=53 LEN=44
Aug 23 17:10:57 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=38218 PROTO=UDP SPT=1092 DPT=53 LEN=44
Aug 23 17:11:12 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=38274 PROTO=UDP SPT=1092 DPT=53 LEN=41
Aug 23 17:11:21 gateway kernel: host 192.168.0.151/if3 ignores redirects for 195.219.14.20 to 192.168.0.15.
Aug 23 17:11:21 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=38301 PROTO=UDP SPT=1092 DPT=53 LEN=41
Aug 23 17:11:22 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=38302 PROTO=UDP SPT=1092 DPT=53 LEN=41
Aug 23 17:11:38 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=38528 PROTO=UDP SPT=1092 DPT=53 LEN=41
Aug 23 17:11:56 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=38624 PROTO=UDP SPT=1092 DPT=53 LEN=44
Aug 23 17:11:57 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=38625 PROTO=UDP SPT=1092 DPT=53 LEN=44
Aug 23 17:11:58 gateway kernel: FORWARD packet died: IN=eth0 OUT=eth0 SRC=192.168.0.151 DST=195.219.14.20 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=38626 PROTO=UDP SPT=1092 DPT=53 LEN=44

Hi muha,

I got more logs as follows..

Aug 23 17:45:53 gateway kernel: IN=eth0 OUT= MAC=00:19:5b:7e:dd:72:00:04:75:e3:d7:86:08:00 SRC=192.168.0.151 DST=192.168.0.155 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44377 DF PROTO=TCP SPT=1734 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 23 17:45:53 gateway kernel: IN=eth0 OUT=eth1 SRC=192.168.0.151 DST=10.4.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=44377 DF PROTO=TCP SPT=1734 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 23 17:45:56 gateway kernel: IN=eth0 OUT=eth1 SRC=192.168.0.151 DST=10.4.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=44389 DF PROTO=TCP SPT=1734 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 23 17:46:02 gateway kernel: IN=eth0 OUT=eth1 SRC=192.168.0.151 DST=10.4.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=44445 DF PROTO=TCP SPT=1734 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0

Is there anything wrong from these ?

I changed the script as follows to add the LOG

# Generated by iptables-save v1.3.7 on Thu Aug 23 17:42:49 2007
*mangle
:PREROUTING ACCEPT [34:4503]
:INPUT ACCEPT [1472:120318]
:FORWARD ACCEPT [3:156]
:OUTPUT ACCEPT [20:2936]
:POSTROUTING ACCEPT [1163:238762]
COMMIT
# Completed on Thu Aug 23 17:42:49 2007
# Generated by iptables-save v1.3.7 on Thu Aug 23 17:42:49 2007
*nat
:PREROUTING ACCEPT [11:2959]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j LOG
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.4.0.100:110
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.155
COMMIT
# Completed on Thu Aug 23 17:42:49 2007
# Generated by iptables-save v1.3.7 on Thu Aug 23 17:42:49 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:904]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -s 10.4.0.0/255.255.0.0 -i eth1 -j ACCEPT
-A INPUT -d 10.4.255.255 -i eth1 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.4.0.100 -i eth0 -p tcp -m tcp --dport 110 -j LOG
-A FORWARD -d 10.4.0.100 -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 10.4.0.177 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -s 10.4.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "Illegal source: "
-A bad_packets -s 10.4.0.0/255.255.0.0 -i eth0 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 469 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Thu Aug 23 17:42:49 2007

I'm not sure if iptables is blocking you in any way. Have you tried connecting when iptables is disabled? Is that possible to test at all?
I suppose your network is connected to the internet on the firewall? On which interface?
Also: are you absolutely sure that all net.ipv4.ip_forward options in /proc/sys/net/ are enabled for this specific interface? Pay attention, because they may have to be enabled per interface.

That depends on the settings on the switch that is in between the two boxes you mention.
If the switch does the routing for you, the firewall (iptables) is not involved at all ...

It seems like you are getting hits on this one:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j LOG

Now check iptables with the following command (a couple times) to see if this rulecounter is increasing:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.4.0.100:110
The command you need is: iptables -L -nv
That should give you a counter in front of this rule.
Maybe this is easier: iptables -L -nv|grep 110
In the mean time try to connect to the mailserver, duh.
But also look at the first one because else you might miss things. Good luck!

Hi muha,

My actual intention is that, the pop3(110) traffic reaching eth0 of linux gateway(192.168.0.155) is to be forwarded to a mail server(10.4.0.100) which is connected to the internal(eth1 of linux box) network only.

I am planning to connect the internet to the eth0 side switch of the linux box.And my ADSL router which is having a static public ip will forward any traffic for port 110 to the eth0 interface of the linux box,thereafter the linux box's DNAT will forward the same traffic to 10.4.0.100 at 110 and as a result i can download my mails from anywhere outside.

So the setup which is shown in the embedded image is for a testing purpose only.ie; if i am able to reach 10.4.0.100 at 110 from my pc(please refer pic) i will be able to reach the same from outside also just by connecting the ADSL router to the eth0 side switch.

Also the switches i m using are simple 8 port switches which are not doing any kind of routing or forwarding.

Please be noted that the command i am trying to test the setup is

telnet 192.168.0.155 110

This command succeeds when the DNAT is pointed to 192.168.0.159 and fails when it is pointed to 10.4.0.100.More precisely i hope the ip_forwarding from eth0 to eth1 is not happening properly.

If i try to ping my pc from 10.4.0.100 it succeeds and at the same time if i try to ping 10.4.0.100 from my pc it fails.That means in the linux box ip_forwarding from eth1 to eth0 is happening and the reverse is not.

And most probably that must be the reason i am not able to reach 10.4.0.100 at port 110 from my pc.

You can see the actual script i generated through easy firewall here

Thanks for your great help !!!

No problem.
Next time: remember to start at the bottom and work your way up.
If possible: always try to confirm whether basic connectivity is working ok.
Cya!

Hi muha,

I hope u din't get what i was trying to explain.Basic connectivity is ok that is why i m able to ping 192.168.0.159 and 192.168.0.151 from the mail server 10.4.0.100.

The reverse connectivity is the one which is not happening.The IP forwarding from eth0 to eth1 is not happening i think.How to make it happening ? Please refer the actual script i attached in my previous post.

The issue still remains the same..

We think forwarding settings might be the problem.
First you need to find what forwarding settings you actually can set in /proc.
Last time I checked they were (also) specified per interface.
Try to find all your forward options, of the top of my head you might find them with:
ls /proc/sys/net/ipv4/*forward*
also:
>I'm not sure if iptables is blocking you in any way. Have you tried connecting when iptables is disabled? Is that possible to test at all?

Hi muha,

Ok, i disabled all the firewalls and added the command ' echo "1" > /proc/sys/net/ipv4/ip_forward ' to my /etc/rc.local file and rebooted the box.

Now first of all i connected one pc(Ip=10.4.0.102 and gw=10.4.0.177) to the linux box's eth1 side switch and tried to ping to 10.4.0.177 -> result success.

Again tried to ping to 192.168.0.155 -> result success.
Again tried to ping to 192.168.0.151 -> result success.
Again tried to ping to 192.168.0.159 -> result success.

That is port forwarding from eth1 to eth0 is perfectly working.

Now secondly i connected the PC(Ip=192.168.0.160 and gw=192.168.0.155) to linux box's eth0 side switch and tried to ping to 192.168.0.155 -> result success.

Again tried to ping to 10.4.0.177 -> result success.
Again tried to ping to 10.4.0.100 -> result fail.
Again tried to ping to 10.4.63.1(a printer,not in pic) -> result fail.

That is no port forwarding from eth0 to eth1 of linux box.

Gateway of eth0 interface is 192.168.0.15(IP of my ADSL router which is not mentioned in the picture i attached)

Gateway of eth1 interface is blank now,but tried adding 192.168.0.155 with no success.

Now ipv4 files

/proc/sys/net/ipv4/ip_forward - 1
/proc/sys/net/ipv4/conf/eth0/forwarding - 1
/proc/sys/net/ipv4/conf/eth1/forwarding - 1
/proc/sys/net/ipv4/conf/all/forwarding - 1
/proc/sys/net/ipv4/conf/default/forwarding - 1

/proc/sys/net/ipv4/mc_forwarding - 0
/proc/sys/net/ipv4/conf/eth0/mc_forwarding - 0
/proc/sys/net/ipv4/conf/eth1/mc_forwarding - 0
/proc/sys/net/ipv4/conf/all/mc_forwarding - 0
/proc/sys/net/ipv4/conf/default/mc_forwarding - 0

Hope the picture is more clear now.

Thanks

You mean:
PC(Ip=192.168.0.151 and gw=192.168.0.155)
Right?

- Do you need the switches in between, while you're testing? They might complicate things ..
(I would not expect so but hey)
- please post the result of route -n from the linux box
- what is the result from ifconfig on the linux box?
- the last ping results has nothing to do with port forwarding but rather subnet routing
- What is the result of a ping from 10.4.0.177 to 10.4.0.100 ?
I'm thinking that 10.4.0.100 might not reply to icmp packets?
- where were you pinging from?

This I don't understand
Is this on the linux box? Or on your pc?

No, it is another windows PC i used for the last ping test.

How can i use multiple PCs without a switch ? These are simple 8 port 3Com switches.There are two,one for the 192.168.0.0/24 network and other for 10.4.0.0/16 network.The linux box exists in between these two as a gateway.Please refer this image.

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.4.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
20.0.0.0 10.0.0.254 255.0.0.0 UG 0 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
0.0.0.0 192.168.0.15 0.0.0.0 UG 0 0 0 eth0

eth0 Link encap:Ethernet HWaddr 00:19:5B:7ED:72
inet addr:192.168.0.155 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::219:5bff:fe7e:dd72/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19209 errors:0 dropped:0 overruns:0 frame:0
TX packets:18772 errors:0 dropped:0 overruns:0 carrier:0
collisions:55 txqueuelen:1000
RX bytes:8313108 (7.9 MiB) TX bytes:1907497 (1.8 MiB)
Interrupt:22 Base address:0xc000

eth1 Link encap:Ethernet HWaddr 00:09:6B:85:0B:4F
inet addr:10.4.0.177 Bcast:10.4.255.255 Mask:255.255.0.0
inet6 addr: fe80::209:6bff:fe85:b4f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:319358 errors:0 dropped:0 overruns:0 frame:0
TX packets:20121 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39129871 (37.3 MiB) TX bytes:3785130 (3.6 MiB)

eth1:0 Link encap:Ethernet HWaddr 00:09:6B:85:0B:4F
inet addr:10.0.0.19 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
TX packets:1077 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:101803 (99.4 KiB) TX bytes:101803 (99.4 KiB)

Yes,the result of ping from 10.4.0.177 to 10.4.0.100 is success.
10.4.0.100 is replying to icmp requests.
But from the 192.168.0.0/24 netwok i am not able to reach any of the 10.4.0.0/16 network PCs or printers.But the reverse is happening.I am able to ping any of the 192.168.0.0/24 PCs from the 10.4.0.0/16 network.This is happening through the gateway linux box only when /proc/sys/net/ipv4/ip_forward is set to 1.

Yeah,there is only one linux box in the entire network which is the one i mentioned in the picture at the middle..So there is no confusion.All others are windows PCs,Printers or Mail servers.
192.168.0.15 is the ADLS modem/router throgh which only people from the 10.4.0.0/16 netork are going to get the internet.ie,only throgh the gateway linux box.So the gateway of eth0 should be 192.168.0.15,right ?

@ default gateway 192.168.0.15: yes, that's right.
I'm a bit stumped Because your config looks ok to me at first glance.
Although I might miss things atm. Maybe someone else can have a look as well ....

Let's try something else. If you are pinging from 192.168.0.151 to 10.4.0.177 you should be able to tcpdump the packets on the linux box. First they come in on eth0, they get a reply at eth1 and return through eth0 to 192.168.0.151
Try to see the incoming icmp and reply with something like:
tcpdump -pv -i eth1

If you can see that, you should also be able to see the same when pinging 192.168.0.151 to 10.4.0.100 with the same tcpdump.
Post the result of the last one if you have trouble understanding it.
- You are not using ipsec by any chance are you? I mean vpn tunnels on this lan?