LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   port forwarding with iptables (https://www.linuxquestions.org/questions/linux-networking-3/port-forwarding-with-iptables-404558/)

solletica 01-17-2006 02:20 PM
port forwarding with iptables
 
I have a Linux box acting as a NAT firewall for my internal network. On the internal network is a server running on port 4000 on a Windows 2003 box.

I want to forward all connections into the firewall's pubic IP address on port 4000 to port 4000 on the Windows box, using iptables.

The Windows box's internal IP address is 192.168.1.6 and the firewall's external interface's (public IP) address is 67.109.203.170. I'm currently using the following iptables rules to do this. . .

iptables -A FORWARD -p tcp -s 0/0 -i eth0 -d 192.168.1.6 --destination-port 4000
--syn -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -i eth0 -d 67.109.203.170 --destination-port 4000 -j DNAT --to-destination 192.168.1.6

Now these rules ARE WORKING as intended, with one exception: if I try to connect to 67.109.203.170:4000 from a PC on the internal network (i. e. 192.168.1.x), it doesn't work.

In other words, if I do

telnet 67.109.203.170 4000

from the outside of the private network, a connection is made, but not if I do it from within the private network, it doesn't :(

Can you tell me how I can correct the iptables rules so a connection to <external IP>:4000 can be made internally as well?

Incidentally, I know if replace the Linux box firewall with an off-the-shelf router and config the router for port forwarding on 4000, it WILL do the above (i. e. allow the connection from both inside and outside the network).

Thanks.

antken 01-18-2006 07:51 PM
i think here you would have to run your rules again but amend them so that eth0 is replaced with your internal adapter eth1 ( i presume )

once that has been done i recon it will fix the problem


also once you have put the new rules in you could run iptables -L -v

this will show you how many packets have been touched by that rule.

solletica 01-23-2006 01:15 PM
Well, if I replace eth0 with eth1, then packets coming from outside the network won't be routed to the Windows box.

That's not what I want; I want all TCP/IP traffic to 67.109.203.170 on port 4000, whether from the internal LAN or the outside, to be routed to the Widnows box.

BTW, I tried removing the "-i eth0" altogether, from both rules, but that didn't work.

I know this is doable; I just don't know how.

Stranex 01-23-2006 03:20 PM
isnt this becuase the router/firewall doesnt support loopback?

trying to access your boxes using the WAN IP (from your LAN IPs) wont work because of this.

not sure if there is a way around it, but i think thats why it wont work.

solletica 01-23-2006 03:59 PM
It is possible to access the firewall box from a LAN PC using the box's public IP, i. e.

if I do ping 67.109.203.170 from a PC on the inside, I get a reply, and I can also, say, connect to a publicly available server running on the box by telnetting to its public IP address FROM the inside.

So what's the deal?

thekillerbean 03-12-2006 04:37 AM
What you need is a PREROUTING rule to check for traffic destined for your public IP at port 4000 coming from your LAN interface and DNAT it back to the internal box servicing that port - simple really!


If that does not work, then you need to provide a diagram of how your network is configured!

Cheers,
kb.


All times are GMT -5. The time now is 03:21 AM.