Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There is not quite enough information in your posting to be sure about my diagnosis, but it seems very likely that you are having problems with external access to your 10.0.0.23 server because your server is on a Private Network. Public Internet routers will not pass packets addressed to any of the Private Networking address ranges. In order to achieve the effect I think you are looking for, you will need to actually specify port forwarding, not merely packet forwarding, on your firewall.
This is done by defining iptables rules in the nat table (which is not the default table, so you have to specify that table in the command).
BTW, there are a fairly large number of other problems with your posted iptables configuration:
1. The first rule in your INPUT chain is way too permissive. It is equivalent to a policy of ACCEPT, and allows all traffic into your firewall machine. This effectively masks all of the following rules.
2. Once you delete this first rule, then you will see a bunch of problems. The second and third rules in the INPUT chain interfere with necessary communication among processes that run on your firewall and should be deleted.
3. I do not see any need to accept broadcast packets from the Internet (destination 255.255.255.255). Unless you have some special application that requires this, I would eliminate this rule.
4. I assume that 116.52.24.167 is your assigned public IP address. If you accept all kinds of packets from the Internet (rule #9), the firewall is not very good protection. I would replace this with a series of rules that allow only the TCP and UDP traffic that you actually want to accept, and drop all others.
5. The last rule in your INPUT chain, attempting to accept packets for 10.0.0.23:2668 is not effective, since it is preceded by DROP everything, and iptables rules are processed in order only until a match occurs. Since we are handling the port in question by port fowarding in the nat table (which gets processed before the filter table, containing the input, forward, and output rules), you can just delete this rule from the INPUT chain.
6. The only rule that I think you need in your FORWARD chain is the second one, which forwards packets that are either coming from or going to machines behind your firewall as a result of connections set up by those machines.
7. Most of the rules in your OUTPUT chain are also redundant, because of the first rule, which allows all traffic generated on the firewall to be delivered wherever it is headed. This rule is equivalent to a policy of ACCEPT on the OUTPUT chain.
8. Your posting does not show it, but you may want a rule in the nat table to allow machines behind the firewall to share the Internet connection. That rule should look something like this:
but im still unclear about how to complete fix my table.
this command does not work.
iptables -t nat -A PREROUTING --dport 2668 -i eth3 -j DNAT --to-destination 10.0.0.23 #eth3 ist my network device for the local network
3. I do not see any need to accept broadcast packets from the Internet (destination 255.255.255.255
I have add this one, for the reason that I can ping other peolples from local network and from internet.
May I make a restart and I will give you my origin iptables, and you will write the script for me how to make the portforward?
thank you very much guy,
I kneed the port forwarding for my self written server, but other peoples cant connect.
When you say "this command does not work", do you mean that it gives you an error, or that the resulting firewall behavior is not what you want? This is an important distinction.
If you want to be able to exchange pings with other systems on the Internet, a more precise rule would be
Code:
#iptables -A INPUT -p icmp -d 116.52.24.167 --icmp-type echo-request -j ACCEPT
#iptables -A INPUT -p icmp -d 116.52.24.167 --icmp-type echo-reply -j ACCEPT
#iptables -A OUTPUT -p icmp -j ACCEPT
This will protect you against a great many other kinds of packets that might arrive at your firewall, some of them containing mischief.
Please tell me as precisely as you can what you want the firewall to do, and I will try to assist you. So far, I think I see that you have two machines, a firewall connected to the Internet via its eth3 with IP address 116..52.24.167, and connected to your local network (10.0.0.x) by some other interface; and a second machine with at least one interface (eth1) having IP address 10.0.0.23). I think that you have a service of your own running on that second machine which listens on TCP port 2668.
Beyond that, I do not know what else is going on. Does this special server also reply on port 2668, or on some other port? Are there any other services that require communication through the firewall? Are there services on the firewall machine itself that need to be allowed to communicate with the Internet? Are there other machines behind the firewall that need to originate connections to the Internet?
All of these things can affect the firewall rules that you will need, and many of them might change as your uses of the systems change. This means that it will be a fairly difficult task for me, an outsider, to anticipate all the things you might need from your firewall. Since you know your requirements better, you are in a better position to work out the rules that you will need. To do this, it will help if you do some reading on the Net about how the Internet protocols TCP, UDP, and ICMP work, so that you can better anticipate what rules will be needed for a particular service. You might want to visit http://www.digitalelephant.org/compu...net_basic.html to get started. This is a short review I have written on the basics of setting up a network and a firewall. It does not cover the port-forwarding that I described in my previous post, but it does cover all the rest of the topics I have touched on in this post and my previous one.
I have a server on the 10.0.0.23 machine.
I want to run this programm, which will connect yo my server on port 2668, the sever schould forward to the 10.0.0.23 machine, which the server for the programm runs.
I am sorry to say that I cannot make you a script that will solve all your problems, for two reasons:
1. First, I do not have enough information to do this reliably.
2. Second, it is not considered good manners to simply ask for someone else to solve your problems for you. I have suggested several ways that your firewall configuration can be improved, and I will suggest some more in this posting, but that configuration is something that you must learn how to maintain yourself, if it to be of any use.
From your other posting thread, I guess that ppp0 is being used for a Virtual Private Network connection, not the public Internet. If that is true, then we probably do not need to consider it further in order to solve the immediate problem.
Here is an annotated listing of your firewall configuration, with my recommendations about what to do with each of the lines:
This will leave you with a minimal firewall configuration that will almost certainly not allow the sorts of communication you want, but will be fairly protective. Then you will need to add rules as described in my previous postings, and in the tutorial I recommended to you. I suggest that you first insert the rules to do Network Address Translation (NAT) for network 10.0.0.x, so that machines behind the firewall will be able to iniitiate communication with the public Internet. Since, at the end of each chain, you have a LOG statement, any problems in the communication protocols will show up as logged packets in your syslog error message file (probably /var/log/messages).
When that works, I would recommend that you add the rule to allow port-forwarding, again checking the syslog error file for logged packets when you attempt to run the service on port 2668.
If you do not understand the results of these steps, please post the log messages, and we may be able to interpret them for you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
