LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 02-28-2009, 05:18 PM   #1
MikeyCarter
Member
 
Registered: Feb 2003
Location: Orangeville
Distribution: Fedora
Posts: 450

Rep: Reputation: 31
NAT Forwarding not working.


Ok what am I missing. Outbound routing seems to be working. Inbound forwarding is only working for the port 8015.

When I try to connect to port 80 it just times out. I'm running Fedora 10 if it helps.

Code:
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j LOG
-A OUTPUT -j LOG
-A POSTROUTING -j LOG

-A POSTROUTING -o ppp+ -j MASQUERADE
-A PREROUTING -i ppp+ -p tcp --dport 80   -j DNAT --to 172.29.0.21    
-A PREROUTING -i ppp+ -p tcp --dport 8015 -j DNAT --to 172.29.0.24    -s 67.55.0.105
-A PREROUTING -i ppp+ -p tcp --dport 1521 -j DNAT --to 172.29.0.22    -s 67.55.0.105
-A PREROUTING -i ppp+ -p tcp --dport 85   -j DNAT --to 172.29.0.20:80 
-A PREROUTING -i ppp+ -p tcp --dport 5222 -j DNAT --to 172.29.0.23
-A PREROUTING -i ppp+ -p tcp --dport 5269 -j DNAT --to 172.29.0.23

COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j LOG
-A FORWARD -j LOG
-A OUTPUT -j LOG

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -d 172.29.0.0/24        -j DROP
-A FORWARD -i eth0 -s 172.29.0.0/24 -p all -j ACCEPT
-A FORWARD -i ppp+ -d 172.29.0.0/24        -j ACCEPT
-A FORWARD -i ppp+ -p tcp -d 172.29.0.21 --dport 80   -j ACCEPT
-A FORWARD -i ppp+ -p tcp -d 172.29.0.24 --dport 8015 -j ACCEPT 
-A FORWARD -i ppp+ -p tcp -d 172.29.0.22 --dport 1521 -j ACCEPT 
-A FORWARD -i ppp+ -p tcp -d 172.29.0.20 --dport 80   -j ACCEPT
-A FORWARD -i ppp+ -p tcp -d 172.29.0.23 --dport 5222 -j ACCEPT
-A FORWARD -i ppp+ -p tcp -d 172.29.0.23 --dport 5269 -j ACCEPT

-A INPUT -i ppp+ -j REJECT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 
Old 03-03-2009, 05:56 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
Are you sure that the incoming port 80 packets are not making it through the firewall? If they arrive on the interface ppp+, they should be sent on. It is possible that the return packet is not being handled right, leading to a timeout just as if the incoming packet had not been forwarded.

To distinguish the different cases, I recommend using tcpdump to trace the packets with source or destination port 80 on the local side of the firewall. I am guessing from your script that the ppp+ interface is the one that connects externally (and on which the timeouts are observed), and that the actual web server is on another machine attached to eth0. If that is so, trace packets on eth0

Another hint may be gleaned by looking at the packet counts for the rules in the FORWARD chain, using the command
Code:
#iptables -nvL FORWARD
. If these counts increase (eg, on the DROP rules), that might indicate what is happening as well.
 
Old 03-04-2009, 10:35 AM   #3
MikeyCarter
Member
 
Registered: Feb 2003
Location: Orangeville
Distribution: Fedora
Posts: 450

Original Poster
Rep: Reputation: 31
I found it.

I had both routers setup so I could test. Seems that the internal machines had a default route of 172.29.0.2 (the old router) So the packages where coming in and forwarding ok. But getting lost on the return flight.

Thanks anyways.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
X11 forwarding + NAT technopasta Linux - Networking 9 05-28-2007 07:49 AM
NAT and Port Forwarding aq_mishu Linux - Networking 2 09-16-2005 08:58 AM
NAT forwarding kermitthefrog91 Linux - Networking 4 08-04-2005 04:26 AM
NAT Port forwarding problems! nidputerguy Linux - Networking 4 01-31-2004 11:29 AM
bizarre nat forwarding problem ignorantliwong Linux - Networking 1 09-04-2003 11:12 PM


All times are GMT -5. The time now is 10:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration