[CentOS] Port Forwarding woes

Mon Apr 27 16:21:24 UTC 2009
Bo Lynch <blynch at ameliaschools.com>

On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
> Bo Lynch wrote:
>> I'm having some port forwarding issues issues with iptables.
>> We are using iptables as a firewall with 2 nics and on ip alias.
>> I'm trying to port forward on the alias ip
>> eth0 = 65.x.x.1
>> eth0:1 = 65.x.x.2
>> eth1 = 192.168.x.x
>>
>> I'm wanting to forward certain ports(80,5071...etc) that makes request
>> on
>> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup
>> the
>> following rules but I must be doing something wrong.
>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j
>> DNAT --to-destination 192.168.x.x:80
>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j
>> DNAT --to-destination 192.168.x.x:5071
>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT
>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
>>
>> Any help would be greatly appreciated.
>> Thanks
>>
> Try
>
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j
> ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j
> ACCEPT
>
>
>
Tried that with no luck. Here is what my NAT looks like.
[root at localhost ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             65.161.127.70       tcp dpt:http
to:192.168.1.3:80
DNAT       tcp  --  anywhere             65.161.127.70       tcp
dpt:powerschool to:192.168.1.3:5071
DNAT       tcp  --  anywhere             65.161.127.70       tcp
dpt:timbuktu to:192.168.1.3:407
DNAT       tcp  --  anywhere             65.161.127.70       tcp
dpt:timbuktu-srv1 to:192.168.1.3:1417
DNAT       tcp  --  anywhere             65.161.127.70       tcp
dpt:timbuktu-srv2 to:192.168.1.3:1418
DNAT       tcp  --  anywhere             65.161.127.70       tcp
dpt:timbuktu-srv3 to:192.168.1.3:1419
DNAT       tcp  --  anywhere             65.161.127.70       tcp
dpt:timbuktu-srv4 to:192.168.1.3:1420
DNAT       tcp  --  anywhere             65.161.127.70       tcp dpt:7880
to:192.168.1.3:7880
DNAT       tcp  --  anywhere             65.161.127.70       tcp dpt:https
to:192.168.1.3:443
DNAT       udp  --  anywhere             65.161.127.70       udp
dpt:timbuktu to:192.168.1.3:407
DNAT       udp  --  anywhere             65.161.127.70       udp
dpt:timbuktu-srv1 to:192.168.1.3:1417
DNAT       udp  --  anywhere             65.161.127.70       udp
dpt:timbuktu-srv2 to:192.168.1.3:1418
DNAT       udp  --  anywhere             65.161.127.70       udp
dpt:timbuktu-srv3 to:192.168.1.3:1419
DNAT       udp  --  anywhere             65.161.127.70       udp
dpt:timbuktu-srv4 to:192.168.1.3:1420
DNAT       udp  --  anywhere             65.161.127.70       udp dpt:7880
to:192.168.1.3:7880

To me it looks like it should work. When I try and do a telnet on the port
number I get a connection refused. Is using an alias a problem?
Bo Lynch