Hi I'm having some trouble w/ getting iptables to work on Redhat 7.2
2.4.2-2 kernel, iptables-1.2.1a-1

I'm doing something very simple, just trying to get it to forward port 80 to an inside Ip (10.0.0.55)
from an outside ip. I scripted my setup below, and I can't see anything wrong, I copied the iptables command
directly from the NAT 2.4 kernel HOWTO. Any ideas? I've been dealing w/ this problem for a month and have totally run into a wall.
thanks,
didget


Script started on Sun Dec 2 16:06:09 2001
[root@localhost bin]# lsmod
Module Size Used by
ipt_LOG 3856 0 (unused)
ip_conntrack_ftp 2448 0 (unused)
iptable_filter 2240 0 (autoclean) (unused)
iptable_nat 15968 0 (autoclean) (unused)
ip_conntrack 15824 2 (autoclean) [ip_conntrack_ftp iptable_nat]
ip_tables 11488 5 [ipt_LOG iptable_filter iptable_nat]
autofs 11136 1 (autoclean)
3c59x 25312 2 (autoclean)
[root@localhost bin]# iptalbles -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost bin]# iptables -t -nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost bin]# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 10.0.0.55:80
[root@localhost bin]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:10.0.0.55:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

hi,
you do " sysctl -w net.ipv4/ip_forward=1" or echo "1" >/proc/sys/net/ipv4/ip_forward.

Yep, the /proc/sys/net/ipv4/ip_forward is set to 1...still stuck

iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT ACCEPT
iptables -P PREROUTING ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -p TCP -m state --state NEW --destination-port 80 -j LOG --log-prefix "HTTP inbound: "
iptables -A INPUT -p TCP -m state --state NEW --destination-port 80 -j ACCEPT
iptables -A PREROUTING -p TCP -m state --state NEW --destination-port 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.55:80

----------------
Test it and if it doesn't work check the log file.
Also make sure -i eth0 is the external interface card.
Otherwise your script looks correct to me.
You don't need the Accept rules but leave them just incase.

/Raz

ok, raz I tried your rules and still no luck. Do you know how I should setup syslogd or dmesg to get the logs I need?

here's what I got from dmesg
NAT: 0 dropping untracked packet c35ea200 1 63.66.136.123 -> 10.0.0.2
NAT: 0 dropping untracked packet c35ea200 1 63.66.136.123 -> 10.0.0.2
NAT: 0 dropping untracked packet c35ea200 1 63.66.136.123 -> 10.0.0.2
NAT: 0 dropping untracked packet c360a140 1 63.66.136.123 -> 10.0.0.2

but nothing from the ip I'm trying to connect from, and nothing about the outside ip(eth0)? I also know it's nothing physical because I can connect to my inside ip through the firewall w/ lynx.

jbrandis, did you figure anything out?

ok,

I've installed iptables on my box so I can test this better. "should have done that along time ago."

Right get rid of all your other scripts and run this script.
I don't know the output from ifconfig so lets say your external real ip address is eth0.

run me
----------
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_owner
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# fill in your external ip address below (-d your_external_ipaddress )

iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d your_external_ipaddress --dport 80 -j LOG --log-level info --log-prefix "** INCOMING HTTP **"

iptables -A OUTPUT -i eth0 -p tcp -s your_external_ipaddress --sport 80 -d 0/0 --dport 1024:65535 -j LOG --log-level info --log-prefix "** OUTGOING HTTP **"

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 10.0.0.55:80

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j LOG --log-level info --log-prefix "** PREROUTE HTTP **"

--------------
Try this, it should log what's happening in /var/log/messages

The "dropping untracked packet" message is caused because Multicast or Broadcast requests are trying to go through the connection tracking module for prerouting.
These will stop if you put rules in to stop them from entering the prerouted tables.

/Raz

iptables v1.2.3: log-level `info' ambiguous
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: log-level `info' ambiguous
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: log-level `info' ambiguous
Try `iptables -h' or 'iptables --help' for more information.

-the error I get from your script. Did it work on your setup?

Hummm....

type this:
cat /etc/syslog.conf | grep info

does it show you:
*.info;mail.none;authpriv.none;cron.none /var/log/messages

if not then change "info" to something in your syslog.conf file that logs to /var/log/messages file.

Change the line as I put a -i instead of -o in it:
iptables -A OUTPUT -i eth0 -p tcp -s your_external_ipaddress --sport 80 -d 0/0 --dport 1024:65535 -j LOG --log-level info --log-prefix "** OUTGOING HTTP **"

change to

iptables -A OUTPUT -o eth0 -p tcp -s your_external_ipaddress --sport 80 -d 0/0 --dport 1024:65535 -j LOG --log-level info --log-prefix "** OUTGOING HTTP **"

Otherwise this works on my Linux 7.1 setup with no errors.

Also try and supply us with more info on the design of your internal network, like the routing tables and ifconfig outputs etc etc etc.

/Raz

It does give that response but I still get the same error. Could you possibly email me then we could meet and compare notes? I followed your steps to a t, and also have like four other bbs's trying to help me out, I also setup another box w/ a similar setup except ipchains and RH 6.2. Still nuthin. Its not a difficult concept, I think I'm just missing something minor.