Problem with Port forwarding (IPTables)

vador13 · 12-13-2011, 04:18 AM

Hi all,

I have a machine which I am using as a internet (via ppp0) and dhcp server (via eth0) (Debian 6.0.3). -IP: 192.168.2.1

I have another machine connected to the server with IP: 192.168.2.167

I want to forward the internal port 16000 of the 192.168.2.167 to the external port 13201 of the ppp0 (external and dynamic ip).

I tried the following command:
#iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 13201 -j DNAT --to 192.168.2.107:16000

and

iptables -A FORWARD -p tcp -d 192.168.2.107 --dport 16000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

In the Nat table, I have:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:13201 to:192.168.2.107:16000

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

IPTABLES:

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere moon.local tcp dpt:16000 state NEW,RELATED,ESTABLISHED

However when I try on the external ip with port 13201 or I use nmap to lookup the external ip I can't see port 13201 opened or use it. Also have dnsmasq I think that's why iptable puts the domain as moon.local (192.168.2.107).

Someone can help me understand why is the port not forwarding??

Thanks for your help!

goossen · 12-13-2011, 07:24 AM

Your destination is 192.168.2.107 or 192.168.2.1 ?

vador13 · 12-13-2011, 07:28 AM

Hi,

My destination is the ip given by ppp0 (a dynamic ip given by the ISP).

The network strcture is like this:

Machine A (also has a dhcp server):
- ppp0 dynamic ip
- eth0 192.168.2.1

Machine B:
- eth0 192.168.2.107

I want to forward port 16000 of 192.168.2.107 to port 13201 of the dynamic ip given by ppp0

Thanks.

goossen · 12-13-2011, 07:49 AM

Try with this:

Code:

# Forward port 13201 to LAN
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 13201 -j DNAT --to 192.168.2.107:16000

# Give Internet access to LAN IP
iptables -A POSTROUTING -t nat -s 192.168.2.107 -o ppp0 -j MASQUERADE

# Enable IP Forward
echo 1 > /proc/sys/net/ipv4/ip_forward

You don't need the FORWARD rule because your default policy is ACCEPT

vador13 · 12-13-2011, 08:16 AM

Hi,

First of all thanks for helping me Goosen.

I want to pass the internet through 192.168.2.1.

That's why I have masquerade the ppp0 with the 192.168.2.1 which serves internet to the 192.168.2.107 (that's working).

What I want is just to forward the port 192.168.2.107:16000 to ppp0:13201.

I tried your command:
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 13201 -j DNAT --to 192.168.2.107:16000

But still no go..

(the port is closed)

lithos · 12-13-2011, 08:26 AM

well
always do the

Code:

# service iptables restart

in case you maybe missed that.

vador13 · 12-13-2011, 10:12 AM

Yes.

Here is iptables NAT:
vador@BlindShaco:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:13201 to:192.168.2.107:16000

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Everything is open.. and still

not working

goossen · 12-13-2011, 12:18 PM

- Is the IP Forward enabled ?
- Is the port 16000 really open in 192.168.2.107 ? Try "telnet 192.168.2.107 16000" from your linux box.

vador13 · 12-13-2011, 12:57 PM

Is the IP Forward enabled ? YES

root@BlindShaco:/home/vador# cat /proc/sys/net/ipv4/ip_forward
1

Is the port 16000 really open in 192.168.2.107 ? Try "telnet 192.168.2.107 16000" from your linux box. YES

root@BlindShaco:/home/vador# nmap 192.168.2.107

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 18:49 WET
Interesting ports on 192.168.2.107:
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
443/tcp open https
8001/tcp open unknown
12000/tcp open cce4x
16000/tcp open unknown
31337/tcp open Elite
MAC Address: 00:09:34:28:85:A6 (Dream-Multimedia-Tv GmbH)

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

root@BlindShaco:/home/vador# telnet 192.168.2.107 16000
Trying 192.168.2.107...
Connected to 192.168.2.107.
Escape character is '^]'.

Iptables:

root@BlindShaco:/home/vador# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Iptables NAT:
root@BlindShaco:/home/vador# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:13201 to:192.168.2.107:16000
DNAT tcp -- anywhere anywhere tcp dpt:13201 to:192.168.2.107:16000

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Connecting to port 13201 (external ip)

root@BlindShaco:/home/vador# telnet blindshaco.xxxxxx.org 13201
Trying xx.213.166.xx...
telnet: Unable to connect to remote host: Connection refused

goossen · 12-13-2011, 05:42 PM

Are you testing it from the same box you put the rules on ? I remember this caused me some trouble. Try testings with this site: http://nmap-online.com

vador13 · 12-14-2011, 11:30 AM

I will test that, however the port that I am forwarding gives a webserver (created by the application).

Trying the http://domain:13201 should show a page, which is not happening. Also the telnet does not connect to that port as I showed you :-(.

Do you have anymore suggestions? How come port forwarding is so difficult :-S it should be easy...

Thanks for your patience.

TimothyEBaldwin · 12-16-2011, 07:07 AM

The PREROUTING chain does not apply to locally sourced packets, use the OUTPUT chain for locally sourced packets.

vador13 · 12-16-2011, 07:35 AM

Hello TimothyEBaldwin,

But I want to forward the internal port 16000 (ip 192.168.2.107) to port 13201 in an external interface ppp0

The output chain is only used to transfer internal traffic isn't it?

Here is output of the nat:
vador@BlindShaco:~$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 278K packets, 19M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:13201 to:192.168.2.107:16000

Chain POSTROUTING (policy ACCEPT 3019 packets, 189K bytes)
pkts bytes target prot opt in out source destination
181K 12M MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 5849 packets, 367K bytes)
pkts bytes target prot opt in out source destination

But is not working yet :-(
Thanks

goossen · 12-16-2011, 02:25 PM

What TimothyEBaldwin is saying is that you can't test it from the same machine that has the rules, because the packets won't match. Same thing I previously said.

TimothyEBaldwin · 12-17-2011, 05:46 AM

Quote:

Originally Posted by vador13

Hello TimothyEBaldwin,

But I want to forward the internal port 16000 (ip 192.168.2.107) to port 13201 in an external interface ppp0

The output chain is only used to transfer internal traffic isn't it?

It is used for traffic originating from computer running the rule, which is what you test here:

Quote:

Originally Posted by vador13

Connecting to port 13201 (external ip)

root@BlindShaco:/home/vador# telnet blindshaco.xxxxxx.org 13201
Trying xx.213.166.xx...
telnet: Unable to connect to remote host: Connection refused