The worst part about this is that it just suddenly happened. Eth0 is my Internet connection. I typed:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 23 -j DNAT --to-destination 192.168.**.1:22

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.**.5:22

the ** are for security reasons in posting here; those are real numbers in the commands. The reason I have such strange forwarding is because I have to get through another firewall that blocks most ports besides telnet and http. This worked when I first used it, but yesterday I didn't get a responce on the port 80 forwarding. I don't have httpd running, so I tried service iptables stop and then retyping those commands, but I still can't get through. I tried switching the ports, and then port 80 worked but 23 didn't. I tried ssh'ing straight to 192.168.**.5 and it worked fine. It appears to me that iptables just isn't forward to "outside the box" ip addresses. Any thoughts? some module I need or rule I forgot?

from the looks of it you have 1 machine as a firewall.
that you are trying to forward port 80 requests to 192.168.1.105

Dont you have a router that you can use for port forwarding?

PS: adding * isnt going to help security.
192.168.1.1 is everyones class b lan router address.

I don't want to discourage posting, but please post something relavent

1) I am trying to forward the requests to 192.168.**.5, not 192.168.1.105.
2) I am using my linux computer as the router
3) putting * will provide security because it could be any number from 0-254
4) 192.168.1.1 is a specific ip address, in classful addressing it belongs to the 192.168.1.0/24 network.
5) the 192.168.1.1/24 address range is not what everybody uses.
6) 192.168.1.1/24 is not a class B network, it is a class C network.


I don't mean to cause hostility or hurt feelings, but please know what your talking about. Could someone please reply that knows something about iptables rules?

I wish someone could help me with this, it's kinda important...

Some clarifying questions:
"yesterday I didn't get a responce on the port 80 forwarding"
That means you tried to ssh to you Internet IP on port 80 FROM the Internet?

"I tried ssh'ing straight to 192.168.**.5"
Meaning ssh from local router to 192.168.**.5 ?

To make something out of this we will have to know the current iptables setup.
iptables -n -L
iptables -n -L -t nat

Yes, I tried to ssh from the Internet

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.**.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.**.0/24
DROP all -- !192.168.**.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


--------------------------------------------------------------------------

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 to:192.168.**.1:22
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.**.5:22

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination



and the 23 routing works, but the 80 doesn't

My conclusion of the network topology

Internet - ISP firewall - Your router - Your LAN

How far does the packets come? Do you get any incoming packets for the 80 or 23 port on your firewall? iptables -L -n -v
Where are your packets matched, one of your rules or are they matched at the policy?
This is interesting to know because then we can narrow the problem down to where and why it can't establish a connection.

iptables -Z will zero the counters so that you can monitor it more easily.

yes, I do get packets for both. I tried the port 80, and it has twice the number of packets as the one to port 23. Port 23 works, but then port 80 times out.

They are matched by the rules:

iptables -t nat -A PREROUTING -i eth+ -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.**.1:22

iptables -t nat -A PREROUTING -i eth+ -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.**.5:22