Dear all, I would like to forward a port to an internet server, but failed. can you help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> a.b.c.d Port: 8181 ----------------------------------------- In Fedora, I successfully to config the firewall using system-config-firewall and iptables command: 1. Run system-config-firewall 1.1 open local port 8080 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp 2. echo 1 > /proc/sys/net/ipv4/ip_foward 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
On Sunday 26 June 2011 12:53:07 muiz wrote:
Dear all, I would like to forward a port to an internet server, but failed. can you help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> a.b.c.d Port: 8181 ----------------------------------------- In Fedora, I successfully to config the firewall using system-config-firewall and iptables command: 1. Run system-config-firewall 1.1 open local port 8080 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp 2. echo 1 > /proc/sys/net/ipv4/ip_foward 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea to specify the destination -d 192.168.1.250
Marian
Thanks Marian, The server only has one IP. I think I should add more iptables records, only one NAT record is not enough,isit correct? If yes , then how?
2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote:
On Sunday 26 June 2011 12:53:07 muiz wrote:
Dear all, I would like to forward a port to an internet server, but failed. can you help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> a.b.c.d Port: 8181 ----------------------------------------- In Fedora, I successfully to config the firewall using system-config-firewall and iptables command: 1. Run system-config-firewall 1.1 open local port 8080 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp 2. echo 1 > /proc/sys/net/ipv4/ip_foward 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea to specify the destination -d 192.168.1.250
Marian
On Monday 27 June 2011 00:08:08 muiz wrote:
Thanks Marian, The server only has one IP. I think I should add more iptables records, only one NAT record is not enough,isit correct? If yes , then how?
Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source.
Marian
2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote:
On Sunday 26 June 2011 12:53:07 muiz wrote:
Dear all,
I would like to forward a port to an internet server, but failed. can you
help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> a.b.c.d Port: 8181 ----------------------------------------- In Fedora, I successfully to config the firewall using system-config-firewall and iptables command: 1. Run system-config-firewall
1.1 open local port 8080 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
- echo 1 > /proc/sys/net/ipv4/ip_foward
- add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d
-p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea to specify the destination -d 192.168.1.250
Marian
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Dear Marian and all, It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ... :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 .... :OUTPUT ACCEPT [0:0] -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 00:08:08 muiz wrote:
Thanks Marian, The server only has one IP. I think I should add more iptables records, only one NAT record is not enough,isit correct? If yes , then how?
Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source.
Marian
2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote:
On Sunday 26 June 2011 12:53:07 muiz wrote:
Dear all,
I would like to forward a port to an internet server, but failed. can you
help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> a.b.c.d Port: 8181 ----------------------------------------- In Fedora, I successfully to config the firewall using system-config-firewall and iptables command: 1. Run system-config-firewall
1.1 open local port 8080 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
- echo 1 > /proc/sys/net/ipv4/ip_foward
- add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d
-p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea to specify the destination -d 192.168.1.250
Marian
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Best regards, Marian Marinov
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all, It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 00:08:08 muiz wrote:
Thanks Marian, The server only has one IP. I think I should add more iptables records, only one NAT record is not enough,isit correct? If yes , then how?
Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source.
Marian
2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote:
On Sunday 26 June 2011 12:53:07 muiz wrote:
Dear all,
I would like to forward a port to an internet server, but failed. can you
help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> a.b.c.d Port: 8181 ----------------------------------------- In Fedora, I successfully to config the firewall using system-config-firewall and iptables command: 1. Run system-config-firewall
1.1 open local port 8080 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
- echo 1 > /proc/sys/net/ipv4/ip_foward
- add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea to specify the destination -d 192.168.1.250
Marian
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Marian, I'm very happy you're online :)I think I have try the record you mention just now. And I would like to clear what I have done (the scripts I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_fowardThen it's not to work!
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all, It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 00:08:08 muiz wrote:
Thanks Marian, The server only has one IP. I think I should add more iptables records, only one NAT record is not enough,isit correct? If yes , then how?
Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source.
Marian
2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote:
On Sunday 26 June 2011 12:53:07 muiz wrote:
Dear all,
I would like to forward a port to an internet server, but failed. can you
help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> a.b.c.d Port: 8181 ----------------------------------------- In Fedora, I successfully to config the firewall using system-config-firewall and iptables command: 1. Run system-config-firewall
1.1 open local port 8080 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
- echo 1 > /proc/sys/net/ipv4/ip_foward
- add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea to specify the destination -d 192.168.1.250
Marian
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Best regards, Marian Marinov
On Monday 27 June 2011 07:15:33 muiz wrote:
Marian, I'm very happy you're online :)I think I have try the record you mention just now. And I would like to clear what I have done (the scripts I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_fowardThen it's not to work!
You have to have some other iptables rules that block the traffic since this has to work.
Marian
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all,
It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 00:08:08 muiz wrote:
Thanks Marian, The server only has one IP. I think I should add more iptables records, only one NAT record is not enough,isit correct? If yes , then how?
Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source.
Marian
2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote:
On Sunday 26 June 2011 12:53:07 muiz wrote: > Dear all, > > I would like to forward a port to an internet server, but > failed. can you > > help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 > Remote server: IP: a.b.c.d Port: 8181 > > > Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 > (forward) -> a.b.c.d Port: 8181 > ----------------------------------------- In Fedora, I > successfully to config the firewall using > system-config-firewall and iptables command: 1. Run > system-config-firewall > > 1.1 open local port 8080 > 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp > > 2. echo 1 > /proc/sys/net/ipv4/ip_foward > 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d > a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all. > > > > > Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea to specify the destination -d 192.168.1.250
Marian
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Marian Marinov wrote:
On Monday 27 June 2011 07:15:33 muiz wrote:
Marian, I'm very happy you're online :)I think I have try the record you mention just now. And I would like to clear what I have done (the scripts I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_fowardThen it's not to work!
You have to have some other iptables rules that block the traffic since this has to work.
Marian
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all,
It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 00:08:08 muiz wrote:
Thanks Marian, The server only has one IP. I think I should add more iptables records, only one NAT record is not enough,isit correct? If yes , then how?
Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source.
Marian
2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote:
> On Sunday 26 June 2011 12:53:07 muiz wrote: >> Dear all, >> >> I would like to forward a port to an internet server, but >> failed. can you >> >> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 >> Remote server: IP: a.b.c.d Port: 8181 >> >> >> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 >> (forward) -> a.b.c.d Port: 8181 >> ----------------------------------------- In Fedora, I >> successfully to config the firewall using >> system-config-firewall and iptables command: 1. Run >> system-config-firewall >> >> 1.1 open local port 8080 >> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp >> >> 2. echo 1 > /proc/sys/net/ipv4/ip_foward >> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d >> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all. >> >> >> >> >> Thanks ! > You have to use Destination NAT for the job: > > iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to > a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward > > If you have more then one IPs on the local machine its a good idea > to specify the destination -d 192.168.1.250 > > Marian _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Actually, very BIG difference in two scripts is that on Fedora he redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port 8181!!!
And if correction of the port does not help, then he can try with additional rule:
-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
Ljubomir
Dear all, Below is my iptables default settings: (only open port 22 and 8080 (webcache)) ------------------------------------------------------------------------------------------------------------- [root@localhost ~]# /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target prot opt source destination -------------------------------------------------------------------------------------------------------------
To Ljubomir: The remote server a.b.c.d services port 8181. And local server forward its port 8080 to remote 8181.
At 2011-06-27,"Ljubomir Ljubojevic" office@plnet.rs wrote:
Marian Marinov wrote:
On Monday 27 June 2011 07:15:33 muiz wrote:
Marian, I'm very happy you're online :)I think I have try the record you mention just now. And I would like to clear what I have done (the scripts I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_fowardThen it's not to work!
You have to have some other iptables rules that block the traffic since this has to work.
Marian
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all,
It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27,"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 00:08:08 muiz wrote: > Thanks Marian, > The server only has one IP. I think I should add more iptables > records, only one NAT record is not enough,isit correct? If yes , > then how? Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source.
Marian
> 2011-06-26 23:38:58,"Marian Marinov" mm@yuhu.biz wrote: > >> On Sunday 26 June 2011 12:53:07 muiz wrote: >>> Dear all, >>> >>> I would like to forward a port to an internet server, but >>> failed. can you >>> >>> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 >>> Remote server: IP: a.b.c.d Port: 8181 >>> >>> >>> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 >>> (forward) -> a.b.c.d Port: 8181 >>> ----------------------------------------- In Fedora, I >>> successfully to config the firewall using >>> system-config-firewall and iptables command: 1. Run >>> system-config-firewall >>> >>> 1.1 open local port 8080 >>> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp >>> >>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward >>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d >>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all. >>> >>> >>> >>> >>> Thanks ! >> You have to use Destination NAT for the job: >> >> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to >> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward >> >> If you have more then one IPs on the local machine its a good idea >> to specify the destination -d 192.168.1.250 >> >> Marian > _______________________________________________ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos
Actually, very BIG difference in two scripts is that on Fedora he redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port 8181!!!
And if correction of the port does not help, then he can try with additional rule:
-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
Ljubomir _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
muiz wrote:
Dear all, Below is my iptables default settings: (only open port 22 and 8080 (webcache))
[root@localhost ~]# /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target prot opt source destination
To Ljubomir: The remote server a.b.c.d services port 8181. And local server forward its port 8080 to remote 8181.
At 2011-06-27��"Ljubomir Ljubojevic" office@plnet.rs wrote:
Marian Marinov wrote:
On Monday 27 June 2011 07:15:33 muiz wrote:
Marian, I'm very happy you're online :)I think I have try the record you mention just now. And I would like to clear what I have done (the scripts I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_fowardThen it's not to work!
You have to have some other iptables rules that block the traffic since this has to work.
Marian
At 2011-06-27��"Marian Marinov" mm@yuhu.biz wrote:
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all,
It seems don't works: /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > /proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files: ...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
And more rules I add is : /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools, then how?
Thanks very much !
At 2011-06-27��"Marian Marinov" mm@yuhu.biz wrote: > On Monday 27 June 2011 00:08:08 muiz wrote: >> Thanks Marian, >> The server only has one IP. I think I should add more iptables >> records, only one NAT record is not enough,isit correct? If yes , >> then how? > Huh, I'm sorry yes you need a second rule. So the rules are: > iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to > a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s > local_ip/local_net --to 192.168.1.250 > echo 1 > /proc/sys/net/ipv4/ip_foward > > The Source NAT(SNAT) rule is needed, cause otherwise the packaets that > reach a.b.c.d will be comming from the ip of the local client not > 192.168.1.250 and so 192.168.1.250 will never receive the replies from > a.b.c.d. > Since the packets reach the client directly from a.b.c.d, the client > will simply disregard them and will wait for packets comming from > .1.250. > > So the SNAT rule changes the SOURCE IP of the packets to 1.250 so > a.b.c.d will return the answares to the right source. > > Marian > >> 2011-06-26 23:38:58��"Marian Marinov" mm@yuhu.biz wrote�� >> >>> On Sunday 26 June 2011 12:53:07 muiz wrote: >>>> Dear all, >>>> >>>> I would like to forward a port to an internet server, but >>>> failed. can you >>>> >>>> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 >>>> Remote server: IP: a.b.c.d Port: 8181 >>>> >>>> >>>> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 >>>> (forward) -> a.b.c.d Port: 8181 >>>> ----------------------------------------- In Fedora, I >>>> successfully to config the firewall using >>>> system-config-firewall and iptables command: 1. Run >>>> system-config-firewall >>>> >>>> 1.1 open local port 8080 >>>> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp >>>> >>>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward >>>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d >>>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all. >>>> >>>> >>>> >>>> >>>> Thanks ! >>> You have to use Destination NAT for the job: >>> >>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to >>> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward >>> >>> If you have more then one IPs on the local machine its a good idea >>> to specify the destination -d 192.168.1.250 >>> >>> Marian >> _______________________________________________ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos
Actually, very BIG difference in two scripts is that on Fedora he redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port 8181!!!
And if correction of the port does not help, then he can try with additional rule:
-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
Ljubomir _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Please do not top post, write your answers bellow the text, like us.
This is what you posted:
I check the Fedora iptables setting: /etc/sysconfig/iptables files:
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
"--to-destination a.b.c.d:8080" means your Fedora box is redirecting traffic to remote port 8080, not 8181 like you asked on this list.
Ljubomir
On Monday, June 27, 2011 03:15 PM, Ljubomir Ljubojevic wrote:
muiz wrote:
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Culprit right here. You need to allow connections to a.b.c.d.
Chain OUTPUT (policy ACCEPT) target prot opt source destination
To Ljubomir: The remote server a.b.c.d services port 8181. And local server forward its port 8080 to remote 8181.
Please do not top post, write your answers bellow the text, like us.
and TRIM!!!!
This is what you posted:
I check the Fedora iptables setting: /etc/sysconfig/iptables files:
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
"--to-destination a.b.c.d:8080" means your Fedora box is redirecting traffic to remote port 8080, not 8181 like you asked on this list.
Oh, dealing with it now are you?
On 06/27/11 12:05 AM, muiz wrote:
[root@localhost ~]# /sbin/iptables -L
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
Dear all, Thanks very much for your kindly help! I use below codes to update the firewall, and it works now.
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -d 192.168.1.250 -p tcp -m tcp --dport 8080 -j DNAT --to-destination a.b.c.d:8181 iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8181 -j SNAT --to-source 192.168.1.250
At 2011-06-27,"John R Pierce" pierce@hogranch.com wrote:
On 06/27/11 12:05 AM, muiz wrote:
[root@localhost ~]# /sbin/iptables -L
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
-- john r pierce N 37, W 122 santa cruz ca mid-left coast
John R Pierce wrote:
On 06/27/11 12:05 AM, muiz wrote:
[root@localhost ~]# /sbin/iptables -L
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
iptables-save is designed for iptables output.
Ljubomir
On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote:
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
iptables-save is designed for iptables output.
sure, for saving to the startup scripts.... the commands I listed above were to display the tables with full info... Without the -v flag, -L only shows part of the important stuff.
John R Pierce wrote:
On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote:
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
iptables-save is designed for iptables output.
sure, for saving to the startup scripts.... the commands I listed above were to display the tables with full info... Without the -v flag, -L only shows part of the important stuff.
iptables-save man:
DESCRIPTION: iptables-save is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.
Ljubomir
On Tuesday, June 28, 2011 02:38 AM, Ljubomir Ljubojevic wrote:
John R Pierce wrote:
On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote:
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
iptables-save is designed for iptables output.
sure, for saving to the startup scripts.... the commands I listed above were to display the tables with full info... Without the -v flag, -L only shows part of the important stuff.
iptables-save man:
DESCRIPTION: iptables-save is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.
You seem to have a problem understanding what John is saying. When you add the v flag, iptables will also report in/out interfaces so that you don't have to guess when you are trying to fix up the rules on the spot and not by editing some file.
Christopher Chan wrote:
On Tuesday, June 28, 2011 02:38 AM, Ljubomir Ljubojevic wrote:
John R Pierce wrote:
On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote:
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
iptables-save is designed for iptables output.
sure, for saving to the startup scripts.... the commands I listed above were to display the tables with full info... Without the -v flag, -L only shows part of the important stuff.
iptables-save man:
DESCRIPTION: iptables-save is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.
You seem to have a problem understanding what John is saying. When you add the v flag, iptables will also report in/out interfaces so that you don't have to guess when you are trying to fix up the rules on the spot and not by editing some file.
My point should have been that listing digested result with "iptables -L..." is not what we needed from OP. In order to help him solve his problem, he needed to output his *rules*. not a "nice presentation of used rules".
With iptables-save he/we could see actual rules used for creating Fedora and CentOS firewall, so he/we can use that output to suggest exact rules he needs.
I started wrestling with iptables rules in 2005 when I started working as networking admin and had to solve some very hard problems including policy routing, marking packets in right order, etc. Since then gained a lot of experience in helping others (on several forum sites) understand what they have and what they need to add/remove/change.
With iptables-save you get reusable output and all you need to do is to say "used this, this, and that rule, change that one and remove that one, and it should work", so there is no chance of making an error in converting (retyping) iptables -L to actual rules already provided with iptables-save.
Ljubomir
On Tuesday, June 28, 2011 04:05 PM, Ljubomir Ljubojevic wrote:
Christopher Chan wrote:
On Tuesday, June 28, 2011 02:38 AM, Ljubomir Ljubojevic wrote:
John R Pierce wrote:
On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote:
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
iptables-save is designed for iptables output.
sure, for saving to the startup scripts.... the commands I listed above were to display the tables with full info... Without the -v flag, -L only shows part of the important stuff.
iptables-save man:
DESCRIPTION: iptables-save is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.
You seem to have a problem understanding what John is saying. When you add the v flag, iptables will also report in/out interfaces so that you don't have to guess when you are trying to fix up the rules on the spot and not by editing some file.
My point should have been that listing digested result with "iptables -L..." is not what we needed from OP. In order to help him solve his problem, he needed to output his *rules*. not a "nice presentation of used rules".
Er, you are not making much sense here. John posts that -v is needed to not get the 'digested result' but the 'full result' and then you go off on a branch about iptables-save. Oh, I still don't see what difference there is between iptables -nv -L ${table} and iptables-save. iptables-save sounds more like the 'nice presentation of used rules' according to the man page.
With iptables-save he/we could see actual rules used for creating Fedora and CentOS firewall, so he/we can use that output to suggest exact rules he needs.
Strawman argument. Who needs to see the actual rules in /etc/sysconfig/iptables for 'creating the firewall' when you are just going to overwrite it with a working set by running 'service iptables save'? Or rather, both iptables -nv -L and iptables-save will provide you the actual rules but just presented differently.
I started wrestling with iptables rules in 2005 when I started working as networking admin and had to solve some very hard problems including policy routing, marking packets in right order, etc. Since then gained a lot of experience in helping others (on several forum sites) understand what they have and what they need to add/remove/change.
What's this? Get off your high horse. I have worked with ipchains, gone through the differences between netfilter and ipchains, messed with ipset due to the potential thousands of rules needed to be loaded but ultimately had to give up due to the instability of ipset, done iproute2 for multiple routing tables, done traffic shaping, done pf on OpenBSD, done ipfw on Solaris and John R Pierce probably has more experience than I do. You have arrived late to the party.
With iptables-save you get reusable output and all you need to do is to say "used this, this, and that rule, change that one and remove that one, and it should work", so there is no chance of making an error in converting (retyping) iptables -L to actual rules already provided with iptables-save.
Hahaha, the OP still managed to mistype instructions he was given, I somehow doubt that fixing up iptables-save output for him will make any difference.
Christopher Chan wrote:
Er, you are not making much sense here. John posts that -v is needed to not get the 'digested result' but the 'full result' and then you go off on a branch about iptables-save. Oh, I still don't see what difference there is between iptables -nv -L ${table} and iptables-save. iptables-save sounds more like the 'nice presentation of used rules' according to the man page.
Then please tell some noob to just copy a rule from iptables -nv -L ${table}. And good luck with that.
[snip]
Strawman argument. Who needs to see the actual rules in /etc/sysconfig/iptables for 'creating the firewall' when you are just going to overwrite it with a working set by running 'service iptables save'? Or rather, both iptables -nv -L and iptables-save will provide you the actual rules but just presented differently.
Exactly the point. One will show you *what* is being done, and other *how* it's being done. Not the same. Like it's not the same to use compiled program to explain where the error in source code is.
I started wrestling with iptables rules in 2005 when I started working as networking admin and had to solve some very hard problems including policy routing, marking packets in right order, etc. Since then gained a lot of experience in helping others (on several forum sites) understand what they have and what they need to add/remove/change.
What's this? Get off your high horse. I have worked with ipchains, gone through the differences between netfilter and ipchains, messed with ipset due to the potential thousands of rules needed to be loaded but ultimately had to give up due to the instability of ipset, done iproute2 for multiple routing tables, done traffic shaping, done pf on OpenBSD, done ipfw on Solaris and John R Pierce probably has more experience than I do. You have arrived late to the party.
Knowing to do something and finding the best path to extract info from noob person and explaining him what exactly to do are totally different things. But whatever, I do not have time and will to argue about irrelevant stuff with heap of work on my schedule.
Ljubomir
On Tuesday, June 28, 2011 05:22 PM, Ljubomir Ljubojevic wrote:
Christopher Chan wrote:
Er, you are not making much sense here. John posts that -v is needed to not get the 'digested result' but the 'full result' and then you go off on a branch about iptables-save. Oh, I still don't see what difference there is between iptables -nv -L ${table} and iptables-save. iptables-save sounds more like the 'nice presentation of used rules' according to the man page.
Then please tell some noob to just copy a rule from iptables -nv -L ${table}. And good luck with that.
Go on, be snide. The OP had no problem pasting /sbin/iptables -L
[snip]
Strawman argument. Who needs to see the actual rules in /etc/sysconfig/iptables for 'creating the firewall' when you are just going to overwrite it with a working set by running 'service iptables save'? Or rather, both iptables -nv -L and iptables-save will provide you the actual rules but just presented differently.
Exactly the point. One will show you *what* is being done, and other *how* it's being done. Not the same. Like it's not the same to use compiled program to explain where the error in source code is.
That sounds hilarious. Your comparison does not even match. There is no 'what' or 'how' differences. It is all 'what' just presented differently.
I started wrestling with iptables rules in 2005 when I started working as networking admin and had to solve some very hard problems including policy routing, marking packets in right order, etc. Since then gained a lot of experience in helping others (on several forum sites) understand what they have and what they need to add/remove/change.
What's this? Get off your high horse. I have worked with ipchains, gone through the differences between netfilter and ipchains, messed with ipset due to the potential thousands of rules needed to be loaded but ultimately had to give up due to the instability of ipset, done iproute2 for multiple routing tables, done traffic shaping, done pf on OpenBSD, done ipfw on Solaris and John R Pierce probably has more experience than I do. You have arrived late to the party.
Knowing to do something and finding the best path to extract info from noob person and explaining him what exactly to do are totally different things. But whatever, I do not have time and will to argue about irrelevant stuff with heap of work on my schedule.
Oh, so are you saying that you cannot understand the output of iptables -nv -L? I mean, cor, it must make such a big deal to a noob person when he is asked to paste the output of 'iptables-save' versus 'iptables -nv -L; iptables -nv -L nat; iptables -nv -L mangle'. Don't let me get in the way of your big pile of work.
Thanks all!
I'm studying iptables at the moment, Hope I can help others in the feture :)
At 2011-06-28,"Ljubomir Ljubojevic" office@plnet.rs wrote:
Christopher Chan wrote:
Er, you are not making much sense here. John posts that -v is needed to not get the 'digested result' but the 'full result' and then you go off on a branch about iptables-save. Oh, I still don't see what difference there is between iptables -nv -L ${table} and iptables-save. iptables-save sounds more like the 'nice presentation of used rules' according to the man page.
Then please tell some noob to just copy a rule from iptables -nv -L ${table}. And good luck with that.
[snip]
Strawman argument. Who needs to see the actual rules in /etc/sysconfig/iptables for 'creating the firewall' when you are just going to overwrite it with a working set by running 'service iptables save'? Or rather, both iptables -nv -L and iptables-save will provide you the actual rules but just presented differently.
Exactly the point. One will show you *what* is being done, and other *how* it's being done. Not the same. Like it's not the same to use compiled program to explain where the error in source code is.
I started wrestling with iptables rules in 2005 when I started working as networking admin and had to solve some very hard problems including policy routing, marking packets in right order, etc. Since then gained a lot of experience in helping others (on several forum sites) understand what they have and what they need to add/remove/change.
What's this? Get off your high horse. I have worked with ipchains, gone through the differences between netfilter and ipchains, messed with ipset due to the potential thousands of rules needed to be loaded but ultimately had to give up due to the instability of ipset, done iproute2 for multiple routing tables, done traffic shaping, done pf on OpenBSD, done ipfw on Solaris and John R Pierce probably has more experience than I do. You have arrived late to the party.
Knowing to do something and finding the best path to extract info from noob person and explaining him what exactly to do are totally different things. But whatever, I do not have time and will to argue about irrelevant stuff with heap of work on my schedule.
Ljubomir
-
Christopher Chan -
John R Pierce -
Ljubomir Ljubojevic -
Marian Marinov -
muiz