LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Assistant: Port Forwarding (https://www.linuxquestions.org/questions/linux-server-73/assistant-port-forwarding-638371/)

eliufoo 04-28-2008 07:16 AM
Assistant: Port Forwarding
 
I have two interfaces configured (Internet & LAN). I want traffic from a specefic host to be routed to a specific server.

My external interface is eth1 (197.41.39.55) & internal interface eth0 (192.168.10.0/24) that has several servers and networking equipments that needs to be reached by external hosts. I intend to route traffic from host 80.223.75.169 destined197.41.39.55 on port 8080, to be forwarded to 192.168.10.5 port 80. According to my internet search, below configuration should work:

-
- iptables -t nat -A PREROUTING -p tcp -i eth1 -d 197.41.39.55 --dport 8080 -j DNAT --to 192.168.10.5
- iptables -A FORWARD -p tcp -i eth0 -d 192.168.10.5 --dport 80 -j ACCEPT
- iptables -t nat -A PREROUTING -j LOG --log-level debug --log-prefix '***PREROUTING***'

I have implemented the above configuration but nothing works. I have also completely FLUSHED my firewall (for testing) and loaded the NAT module. And still doesn't work. Also, apart from the log file (messages), how can i troubleshoot iptable configuration.

Assist please:

Elly

datopdog 04-28-2008 09:27 AM
If you want port 8080 traffic to get to the inside port 80 then the rule should be like this

Code:
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 197.41.39.55 --dport 8080 -j DNAT --to 192.168.10.5:80

eliufoo 04-29-2008 12:49 AM
Quote:
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 197.41.39.55 --dport 8080 -j DNAT --to 192.168.10.5:80
Tried that too and still didn't work. I also tried SNAT by adding another virtual interface on the external primary interface. Gave it a public IP address that will be mapped with the an internal web server. Below are my configuration, correct me if I'm wrong.

# PREROUTING statements for 1:1 NAT (Connections originating from the Internet)

iptables -t nat -A PREROUTING -d 197.41.39.55 -i eth1 -j DNAT --to-destination 192.168.10.5

# POSTROUTING statements for 1:1 NAT (Connections originating from the home network servers)

iptables -t nat -A POSTROUTING -s 192.168.10.5 -o eth1 -j SNAT --to-source 197.41.39.55

# Allow forwarding to each of the servers configured for 1:1 NAT

iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.10.5 -m multiport \
--dport 80,22,21,53 -m state --state NEW -j ACCEPT

# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections

iptables -A FORWARD -t filter -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above

iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Log traffic from debug level for POSTROUTING,PREROUTING and FORWORD chain.

iptables -t nat -A PREROUTING -j LOG --log-level debug --log-prefix '***PREROUTING*** '

iptables -t nat -A POSTROUTING -j LOG --log-level debug --log-prefix '***PREROUTING** '

iptables -A FORWARD -j LOG --log-level debug --log-prefix '//FORWARD// '

datopdog 04-29-2008 01:30 AM
The configuration seems correct, if its not working use tcpdump to debug it.


All times are GMT -5. The time now is 06:35 AM.