<div class="gmail_quote">2009/4/28 Bo Lynch <span dir="ltr"><<a href="mailto:blynch@ameliaschools.com">blynch@ameliaschools.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5">On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:<br>
> Bo Lynch wrote:<br>
>> I'm having some port forwarding issues issues with iptables.<br>
>> We are using iptables as a firewall with 2 nics and on ip alias.<br>
>> I'm trying to port forward on the alias ip<br>
>> eth0 = 65.x.x.1<br>
>> eth0:1 = 65.x.x.2<br>
>> eth1 = 192.168.x.x<br>
>><br>
>> I'm wanting to forward certain ports(80,5071...etc) that makes request<br>
>> on<br>
>> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup<br>
>> the<br>
>> following rules but I must be doing something wrong.<br>
>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j<br>
>> DNAT --to-destination 192.168.x.x:80<br>
>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j<br>
>> DNAT --to-destination 192.168.x.x:5071<br>
>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT<br>
>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT<br>
>><br>
>> Any help would be greatly appreciated.<br>
>> Thanks<br>
>><br>
> Try<br>
><br>
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j<br>
> ACCEPT<br>
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j<br>
> ACCEPT<br>
><br>
><br>
><br>
</div></div>Tried that with no luck. Here is what my NAT looks like.<br>
[root@localhost ~]# iptables -t nat -L<br>
Chain PREROUTING (policy ACCEPT)<br>
target prot opt source destination<br>
DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http<br>
to:<a href="http://192.168.1.3:80" target="_blank">192.168.1.3:80</a><br>
</blockquote><div><br><snip><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">To me it looks like it should work. When I try and do a telnet on the port<br>
number I get a connection refused. Is using an alias a problem?<br></blockquote><div><br>It should, and does, work, even with an alias...<br><br>The fact you are getting connection refused suggests that the traffic is going somewhere and responses are getting back, rather than disappearing into a hole, which is good...<br>
Are you sure traffic to that address is getting to your eth0 interface and not going to another device or being blocked by your router?<br>Capturing traffic using tcpdump while testing would confirm this, i.e. tcpdump -i any -n port 5071 would show packets coming in on eth0 and going out on eth1 if everything is working, or only coming in on eth0 if something within this box is preventing forwarding, or nothing at all which would show that the traffic wasn't even making it to your machine...<br>
<br>d<br></div></div><br>