I'm trying to do some simple tcp port forwarding
[root@wcmisdlin02 ~]# cat /proc/sys/net/ipv4/ip_forward 0 [root@wcmisdlin02 ~]# /bin/echo 1 > /proc/sys/net/ipv4/ip_forward [root@wcmisdlin02 ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@wcmisdlin02 ~]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@wcmisdlin02 ~]# iptables --table nat --append PREROUTING --proto tcp --dport 80 --jump DNAT --to 10.52.208.223:80 [root@wcmisdlin02 ~]# iptables --table nat --list PREROUTING Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http to:10.52.208.223:80 [root@wcmisdlin02 ~]# curl --verbose http://10.52.208.221:80 * About to connect() to 10.52.208.221 port 80 * Trying 10.52.208.221... Connection refused * couldn't connect to host * Closing connection #0 curl: (7) couldn't connect to host [root@wcmisdlin02 ~]#
alexus wrote:
I'm trying to do some simple tcp port forwarding
<snip>
[root@wcmisdlin02 ~]# iptables --table nat --append PREROUTING --proto tcp --dport 80 --jump DNAT --to 10.52.208.223:80
<snip> ^^^
[root@wcmisdlin02 ~]# curl --verbose http://10.52.208.221:80
^^^
- About to connect() to 10.52.208.221 port 80
- Trying 10.52.208.221... Connection refused
- couldn't connect to host
Could this be a problem?
mark
On Thu, Sep 16, 2010 at 4:18 PM, m.roth@5-cent.us wrote:
alexus wrote:
I'm trying to do some simple tcp port forwarding
<snip> > [root@wcmisdlin02 ~]# iptables --table nat --append PREROUTING --proto > tcp --dport 80 --jump DNAT --to 10.52.208.223:80 <snip> ^^^ > [root@wcmisdlin02 ~]# curl --verbose http://10.52.208.221:80 ^^^ > * About to connect() to 10.52.208.221 port 80 > * Trying 10.52.208.221... Connection refused > * couldn't connect to host
Could this be a problem?
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
iptables contains a rule where to forward traffic and i'm testing against my local machine and not a remote how is that a problem?
if i'll be hitting remote machine then i dont really need a redirect
On Thursday 16 September 2010 16:03, alexus wrote:
I'm trying to do some simple tcp port forwarding
The first thing you need to do is drop the RH-firewall BS and create a new firewall rule set setup for your needs. If you don't know how to setup a firewall then I would suggest you get one of those GUI programs that can do this for you.
[root@wcmisdlin02 ~]# curl --verbose http://10.52.208.221:80
- About to connect() to 10.52.208.221 port 80
- Trying 10.52.208.221... Connection refused
- couldn't connect to host
- Closing connection #0
curl: (7) couldn't connect to host [root@wcmisdlin02 ~]#
Looks like this host doesn't accept port 80 connections.
.223 has port 80 open and it accepts connection when i'm connecting to .221 and that suppose to foward it to .223 then it doesn't work
On Fri, Sep 17, 2010 at 12:38 PM, Robert Spangler mlists@zoominternet.net wrote:
On Thursday 16 September 2010 16:03, alexus wrote:
I'm trying to do some simple tcp port forwarding
The first thing you need to do is drop the RH-firewall BS and create a new firewall rule set setup for your needs. If you don't know how to setup a firewall then I would suggest you get one of those GUI programs that can do this for you.
[root@wcmisdlin02 ~]# curl --verbose http://10.52.208.221:80 * About to connect() to 10.52.208.221 port 80 * Trying 10.52.208.221... Connection refused * couldn't connect to host * Closing connection #0 curl: (7) couldn't connect to host [root@wcmisdlin02 ~]#
Looks like this host doesn't accept port 80 connections.
--
Regards Robert
Linux The adventure of a life time.
Linux User #296285 Get Counted http://counter.li.org/ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 09/20/10 10:24 AM, alexus wrote:
.223 has port 80 open and it accepts connection when i'm connecting to .221 and that suppose to foward it to .223 then it doesn't work
wait, those are both on the same network segment.
normally, port forwarding is used in conjunction with NAT, where the system doing the forwarding is acting as a NAT Router in between the internet and the private local network.
In your scenario, if .221 rewrites the destination IP to .223 and forwards the packet to .223, the reply will be sent back to the original client with the source as .223, and the client's IP stack won't recognize that socket connection (a socket is the 4-tuple {source IP, source port, dest IP, dest port}).
in a NAT environment, the local server to which the external request is forwarded would always be sending the reply back through the NAT router (since its also the default gateway for the LAN systems), which can then "untranslate" the source IP back from the private/local IP to the public IP for which the client had originally sent it to.
sounds like you want a PROXY, not 'port forwarding'.
When I was first learning iptables, I found "Rusty's Remarkably Unreliable Guides" to be an excellent resource on how iptables works. He covers each part of iptables and does it in a clear and easy to understand manner. If I remember correctly, the guides are also entertaining.
http://people.netfilter.org/~rusty/unreliable-guides/
I personally don't like any of the GUIs out there. I find them to be way to constricting compared to the sheer power and flexibility of iptables. You're better off going through the guide and googling and then just writing your rules in a text editor.
____________________________ Matt Ausmus Network Administrator Chapman University 635 West Palm Street Orange, CA 92868 (714)628-2738 mausmus@chapman.edu
"Nothing is ever accomplished by a reasonable man." -Bucy's Law -----Original Message----- From: Robert Spangler [mailto:mlists@zoominternet.net] Sent: Friday, September 17, 2010 9:39 AM To: CentOS mailing list Subject: Re: [CentOS] iptables
On Thursday 16 September 2010 16:03, alexus wrote:
I'm trying to do some simple tcp port forwarding
The first thing you need to do is drop the RH-firewall BS and create a new firewall rule set setup for your needs. If you don't know how to setup a firewall then I would suggest you get one of those GUI programs that can do this for you.
[root@wcmisdlin02 ~]# curl --verbose http://10.52.208.221:80
- About to connect() to 10.52.208.221 port 80
- Trying 10.52.208.221... Connection refused
- couldn't connect to host
- Closing connection #0
curl: (7) couldn't connect to host [root@wcmisdlin02 ~]#
Looks like this host doesn't accept port 80 connections.
On Mon, 20 Sep 2010, Ausmus, Matt wrote:
To: CentOS mailing list centos@centos.org From: "Ausmus, Matt" mausmus@chapman.edu Subject: Re: [CentOS] iptables
When I was first learning iptables, I found "Rusty's Remarkably Unreliable Guides" to be an excellent resource on how iptables works. He covers each part of iptables and does it in a clear and easy to understand manner. If I remember correctly, the guides are also entertaining.
http://people.netfilter.org/~rusty/unreliable-guides/
I personally don't like any of the GUIs out there. I find them to be way to constricting compared to the sheer power and flexibility of iptables. You're better off going through the guide and googling and then just writing your rules in a text editor.
Yes, I agree.
I have my own iptables rules in a bash shell script to replace the RH ones at boot time.
I also found Rusty's tutorials entertaining, and easy to understand. Plus there's the man page, 'pinfo iptables' that is quite concise.
Here's a nice description of CIDR address notation.
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Kind Regards,
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
-
alexus -
Ausmus, Matt -
John R Pierce -
Keith Roberts -
m.roth@5-cent.us -
Robert Spangler