On Mon, April 27, 2009 12:50 pm, D Tucny wrote:
2009/4/28 Bo Lynch blynch@ameliaschools.com
On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes
request
on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have
setup
the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80
-j
DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071
-j
DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j
ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j
ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80
-j
ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071
-j
ACCEPT
Tried that with no luck. Here is what my NAT looks like. [root@localhost ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http to:192.168.1.3:80
<snip>
To me it looks like it should work. When I try and do a telnet on the port number I get a connection refused. Is using an alias a problem?
It should, and does, work, even with an alias...
The fact you are getting connection refused suggests that the traffic is going somewhere and responses are getting back, rather than disappearing into a hole, which is good... Are you sure traffic to that address is getting to your eth0 interface and not going to another device or being blocked by your router? Capturing traffic using tcpdump while testing would confirm this, i.e. tcpdump -i any -n port 5071 would show packets coming in on eth0 and going out on eth1 if everything is working, or only coming in on eth0 if something within this box is preventing forwarding, or nothing at all which would show that the traffic wasn't even making it to your machine...
d _______________________________________________
I think I found the culprit but not sure if by taking this out it will be a risk. When I remove this statement things work.... iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
If I drop the NEW it works. Should I be concerned from I security stand point?