iptables forwarding help pls

Shwick · 09-24-2008, 11:35 PM

I successfully set up my home network with ip forwarding and masquerading, internet <<>> ubuntu gateway <<>> local machines.

Now i'm trying to forward a port from my ubuntu gateway to one of the machines on my lan.

Specifically I need to forward port 6112 so that I can host warcraft games. These two rules don't seem to be working.

#set DNAT
iptables -A PREROUTING -t nat -p tcp --dport 6112 -i eth0 -j DNAT --to 192.168.0.100:6112
iptables -A PREROUTING -t nat -p udp --dport 6112 -i eth0 -j DNAT --to 192.168.0.100:6112

These were some other rules I already had.

#setup MASQUERADING for nat
iptables -A POSTROUTING -t nat -j MASQUERADE

# Setup port forwarding
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

I set up a log after the DNAT and it gets triggered b/c I can see it in syslog, but no one can join my games.
I also set up a log after MASQUERADE but that one didn't appear in syslog.

Maybe it has something to do with state in the DNAT rules? I dunno whats going on.

ddaemonunics · 09-25-2008, 12:26 AM

You have 2 rules
iptables -A PREROUTING -t nat -p tcp --dport 6112 -i eth0 -j DNAT --to 192.168.0.100:6112

from this I understand that the eth0 is the internet interface

iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

I think it should be
iptables -A FORWARD -i eth0 -o eth1 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT

You should understand iptables chain traversing
For your situation you should know that
First the packets enter nat table prerouting chain->filter table forward chain->nat table postrouting

If you do DNAT in prerouting chain you also need to allow new connections to pass through Forward chain to the internal IP
Also make sure the port is open on the internal device.
Try to telnet from the linux gateway to the internal device on that port.

Shwick · 09-25-2008, 07:06 PM

Awesome you helped me fix the problem.

"Also make sure the port is open on the internal device."

Stupid Windows SP3 didn't ask me if I wanted to allow War3 through my firewall. I added it manually and now my windows machine can host through the gateway. The packets were being forwarded properly all along I was just so focused on the gateway being the problem. Next time I'll install wireshark.