muiz wrote:
Dear all, Below is my iptables default settings: (only open port 22 and 8080 (webcache))
[root@localhost ~]# /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target prot opt source destination
To Ljubomir: The remote server a.b.c.d services port 8181. And local server forward its port 8080 to remote 8181.
At 2011-06-27��"Ljubomir Ljubojevic" office@plnet.rs wrote:
Marian Marinov wrote:
On Monday 27 June 2011 07:15:33 muiz wrote:
Marian, I'm very happy you're online :)I think I have try the record you mention just now. And I would like to clear what I have done (the scripts I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_fowardThen it's not to work!
You have to have some other iptables rules that block the traffic since this has to work.
Marian
At 2011-06-27��"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all,
It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27��"Marian Marinov" mm@yuhu.biz wrote: > On Monday 27 June 2011 00:08:08 muiz wrote: >> Thanks Marian, >> The server only has one IP. I think I should add more iptables >> records, only one NAT record is not enough,isit correct? If yes , >> then how? > Huh, I'm sorry yes you need a second rule. So the rules are: > iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to > a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s > local_ip/local_net --to 192.168.1.250 > echo 1 > /proc/sys/net/ipv4/ip_foward > > The Source NAT(SNAT) rule is needed, cause otherwise the packaets that > reach a.b.c.d will be comming from the ip of the local client not > 192.168.1.250 and so 192.168.1.250 will never receive the replies from > a.b.c.d. > Since the packets reach the client directly from a.b.c.d, the client > will simply disregard them and will wait for packets comming from > .1.250. > > So the SNAT rule changes the SOURCE IP of the packets to 1.250 so > a.b.c.d will return the answares to the right source. > > Marian > >> 2011-06-26 23:38:58��"Marian Marinov" mm@yuhu.biz wrote�� >> >>> On Sunday 26 June 2011 12:53:07 muiz wrote: >>>> Dear all, >>>> >>>> I would like to forward a port to an internet server, but >>>> failed. can you >>>> >>>> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 >>>> Remote server: IP: a.b.c.d Port: 8181 >>>> >>>> >>>> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 >>>> (forward) -> a.b.c.d Port: 8181 >>>> ----------------------------------------- In Fedora, I >>>> successfully to config the firewall using >>>> system-config-firewall and iptables command: 1. Run >>>> system-config-firewall >>>> >>>> 1.1 open local port 8080 >>>> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp >>>> >>>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward >>>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d >>>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all. >>>> >>>> >>>> >>>> >>>> Thanks ! >>> You have to use Destination NAT for the job: >>> >>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to >>> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward >>> >>> If you have more then one IPs on the local machine its a good idea >>> to specify the destination -d 192.168.1.250 >>> >>> Marian >> _______________________________________________ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos
Actually, very BIG difference in two scripts is that on Fedora he redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port 8181!!!
And if correction of the port does not help, then he can try with additional rule:
-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
Ljubomir _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Please do not top post, write your answers bellow the text, like us.
This is what you posted:
I check the Fedora iptables setting: /etc/sysconfig/iptables files:
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
"--to-destination a.b.c.d:8080" means your Fedora box is redirecting traffic to remote port 8080, not 8181 like you asked on this list.
Ljubomir