Complete situation
xxx.xxx.xxx.xxx - my external IP
xxx.xxx.xxx.0 - ISP network
xxx.xxx.xxx.1 - ISP gateway
dns.dns.dns.dns - ISP DNS
10.11.12.0 - my local (internal) network
10.11.12.13 - my internal IP (Debian machine, the router)
10.11.12.14 - my other computer (vista machine, to which I want to forward packets)
eth0 - internal interface (local network)
eth1 - external interface
in /proc/sys/net/ipv4/ip_forward
1
in /etc/sysctl.conf
net.ipv4.conf.default.forwarding=1
net.ipv4.ip_forward = 1
ifconfig -a
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:10.11.12.13 Bcast:10.11.12.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3997 errors:0 dropped:0 overruns:69 frame:0
TX packets:4965 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:652783 (637.4 KiB) TX bytes:4246737 (4.0 MiB)
Interrupt:177 Base address:0x4c00
eth1 Link encap:Ethernet HWaddr yy:yy:yy:yy:yy:yy
inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21830 errors:0 dropped:0 overruns:0 frame:0
TX packets:6528 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6875496 (6.5 MiB) TX bytes:1152166 (1.0 MiB)
Interrupt:169 Base address:0xd800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4046 errors:0 dropped:0 overruns:0 frame:0
TX packets:4046 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1270416 (1.2 MiB) TX bytes:1270416 (1.2 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth1
I use this script:
EXT=eth1
INT=eth0
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept outgoing packets from internal network
iptables -A FORWARD -i $INT -o $EXT -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
# TTL settings
iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1
iptables -t mangle -A POSTROUTING -s 10.11.12.0/24 -o $EXT -j TTL --ttl-set 64
# port 8080 to port 80
iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 10.11.12.14:80
iptables -A FORWARD -p tcp -i eth1 -d 10.11.12.14 --dport 80 -j ACCEPT
end of script
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 10.11.12.14 tcp dpt:80
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:8080 to:10.11.12.14:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TTL 0 -- 0.0.0.0/0 0.0.0.0/0 TTL increment by 1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TTL 0 -- 10.11.12.0/24 0.0.0.0/0 TTL set to 64
the internal machine (which use vista)
ipconfig -all
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 10/100 Ethernet
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.11.12.14(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.11.12.13
DNS Servers . . . . . . . . . . . : dns.dns.dns.dns
NetBIOS over Tcpip. . . . . . . . : Enabled
when I type
http://10.11.12.14:80 I see index.html on the internal machine
when I type
http://xxx.xxx.xxx.xxx:80 I see index.html on the external machine
when I type
http://xxx.xxx.xxx.xxx:8080 I see index.html on the external machine again, but not index.html on the internal machine
(my external machine listen on both 80 and 8080 ports, the internal - only on 80)
I think there is a problem with this line in routing table
10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0