Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
eth1 -> Public IP -> xxx.xxx.xxx.xxx
eth0 -> Local IP -> 192.168.0.254
i want to forward port of remote admin to my lan computer. which has ip 192.168.0.173.
Please let me know what rule should i apply so that one can access my computer (192.168.0.173) remotely through Remote Admin. Remoteadmin uses 4899 port to connect.
If your destination address (-d) is correct, that looks to me like it should work. If not ...
Do you have any kind of a firewall between the Linux box and the Internet that could be blocking things?
Do you have firewall rules in the Linux box that could be blocking? The incoming packets and the return packets will both have to successfully traverse the FORWARD chain.
Do you have a firewall on the machine running remoteadmin that could be blocking things?
You must have ip_forward enabled on the Linux box.
If it's none of the above, the only thing I know is to trouble shoot. To do that you need a way to send some packets to forward to this machine. (If thats impossible but you have another computer you can hook up to eth1, you can temporarily change eth1 to use a (different) LAN subnet, temporarily alter your DNAT rule to match and trouble shoot in this configuration. Then change things back when it works.) For trouble shooting, when you supply packets you can examine the packet count on your rule with
Code:
iptables -t nat -nvL PREROUTING
and see if the incoming packets are matching. (Only the first one for a given connection will match; after the connection is established the rest of the incoming packets will bypass the PREROUTING chain.) You can also monitor what packets are being received and sent on each interface on your Linux box using tcpdump, wireshark, or some other packet sniffer, and see where you are loosing the packets.
Yes i have firewall installed on that machine. but even i disabled it it won't work. i did according to your instructions and output is as follows and see the bold lines which shows that traffic is coming in..
And here is tcpdump output
[root@squid ~]# tcpdump -i eth1 port 4899
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:27:17.888807 IP <My IP>.23308 > <Destination IP>.radmin-port: S 1168980337:1168980337(0) win 16384 <mss 1452,nop,nop,sackOK>
09:27:20.769602 IP <My IP>.23308 > <Destination IP>.radmin-port: S 1168980337:1168980337(0) win 16384 <mss 1452,nop,nop,sackOK>
09:27:26.788891 IP <My IP>.23308 > <Destination IP>.radmin-port: S 1168980337:1168980337(0) win 16384 <mss 1452,nop,nop,sackOK>
These output seems OK to me. If you have any observation please let me know. The "192.168.0.173" works fine on LAN for remote admin
On your tcpdump output, "Destination IP" is the public IP address of the machine with the DNAT rule? If so, that looks to me like 3 "syn" packets (that is what that capital S means) -- the first packet sent to start a TCP handshake. In other words, three attempts from your remote machine to start a conversation, with no packets coming back.
Obviously you got a match on the DNAT rule, but beyond that I am not sure I understand the packet counts. Perhaps I still don't fully understand the details of what happens with the packet handling with DNAT.
I suggest you use tcpdump to monitor eth0 to see if the packet ever leaves the machine, and if so, whether a response comes back. If the packet never leaves this machine, make sure you have ip_forward enabled and that your routing table makes sense:
I was wondering if perhaps the firewall on 192.168.0.173, or maybe the Remote Admin application itself was blocking IP addresses that are not from your LAN.
Can you put a packet sniffer on 92.168.0.173 itself? If it is receiving those packets but not sending anything back, then you know the issue is on that machine. You've already established that the problem (at least the initial problem) is not on the machine doing the DNAT.
Thank you vvery much for support. The Problem has been resolved.
[root@squid ~]# tcpdump host 192.168.0.173
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:39:31.867367 arp who-has 192.168.0.173 tell 192.168.0.254
10:39:31.867470 arp reply 192.168.0.173 is-at 00:13:20:28:31:18 (oui Unknown)
10:39:31.867479 IP <My IP>.24812 > 192.168.0.173.radmin-port: S 2100045692:2100045692(0) win 16384 <mss 1452,nop,nop,sackOK> 10:39:31.867668 arp who-has 192.168.0.1 tell 192.168.0.173
10:39:40.865820 arp who-has 192.168.0.1 tell 192.168.0.173
the above helped me in resolving the issue and obviously your advise...infact all traffic of this machine going through squid so i never bothered to change the gateway. infact my gateway is 192.168.0.254 but if you see above dump in bold then see that it is showing the gateway 192.168.0.1
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
