Hello all:
I am having trouble getting port forwarding with iptables to work.
I have this configuration:
Internet --- Linux machine --- Windows machine
The windows machine is set up to listen on IP address 10.0.0.31
I am able to use lynx to connect to http://10.0.0.31 on the linux machine so there is no problem going from the linux machine to the windows machine.
I have tied a public IP address a.b.c.d to the linux machine and entered these rules in its firewall:
/sbin/ifconfig eth0:1 $WIN_EXTERNAL_IP netmask $ETH0_NETMASK broadcast $ETH0_BCAST /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $WIN_EXTERNAL_IP --dport 80 -j DNAT --to $WIN_INTERNAL_IP:80 /sbin/iptables -A FORWARD -p tcp -i eth0 -d $WIN_INTERNAL_IP --dport 80 -j ACCEPT
I have this log entry at the bottom of the firewall rules:
/sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD "
When I try to go to the external IP address http://a.b.c.d from another network, I get an error.
Any ideas?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system.
Hello all:
I am having trouble getting port forwarding with iptables to work.
I have this configuration:
Internet --- Linux machine --- Windows machine
The windows machine is set up to listen on IP address 10.0.0.31
I am able to use lynx to connect to http://10.0.0.31 on the linux machine so there is no problem going from the linux machine to the windows machine.
I have tied a public IP address a.b.c.d to the linux machine and entered these rules in its firewall:
/sbin/ifconfig eth0:1 $WIN_EXTERNAL_IP netmask $ETH0_NETMASK broadcast $ETH0_BCAST /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $WIN_EXTERNAL_IP --dport 80 -j DNAT --to $WIN_INTERNAL_IP:80 /sbin/iptables -A FORWARD -p tcp -i eth0 -d $WIN_INTERNAL_IP --dport 80 -j ACCEPT
I have this log entry at the bottom of the firewall rules:
/sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD "
When I try to go to the external IP address http://a.b.c.d from another network, I get an error.
Do you have return POSTROUTING rules in your iptables nat table, have you enabled ip forwarding?
Do you have return POSTROUTING rules in your iptables nat table, have you enabled ip forwarding?
I don't have a postrouting rule. I guess I need to add one.
I have enabled IP forwarding using: echo "1" > /proc/sys/net/ipv4/ip_forward
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system.
Hello:
I changed my rules to these:
/sbin/iptables -t nat -A PREROUTING -d $WIN_EXTERNAL_IP -j DNAT --to $WIN_INTERNAL_IP /sbin/iptables -t nat -A POSTROUTING -s $WIN_INTERNAL_IP -j SNAT --to $WIN_EXTERNAL_IP
And I am still not seeing anything log on the firewall log and the connection is not working.
Any ideas?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system.
This is interesting:
When I go to lynx http://a.b.c.d on the linux machine, I get the CentOS test page.
This looks like the connection is not forwarding, it is just going to the local machine.
Any ideas?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Neil Aggarwal Sent: Sunday, October 04, 2009 8:15 PM To: 'CentOS mailing list' Subject: Re: [CentOS] Can't get forwarding to work
Hello:
I changed my rules to these:
/sbin/iptables -t nat -A PREROUTING -d $WIN_EXTERNAL_IP -j DNAT --to $WIN_INTERNAL_IP /sbin/iptables -t nat -A POSTROUTING -s $WIN_INTERNAL_IP -j SNAT --to $WIN_EXTERNAL_IP
And I am still not seeing anything log on the firewall log and the connection is not working.
Any ideas?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I changed my rules to these:
/sbin/iptables -t nat -A PREROUTING -d $WIN_EXTERNAL_IP -j DNAT --to $WIN_INTERNAL_IP /sbin/iptables -t nat -A POSTROUTING -s $WIN_INTERNAL_IP -j SNAT --to $WIN_EXTERNAL_IP
And I am still not seeing anything log on the firewall log and the connection is not working.
I don't believe you need the forward rule since you're doing NAT. What does your entire NAT table look like?
Barry:
This is strange. Everything just started working all of a sudden. I was getting firewall logs and was able to add the forward rules I needed.
I don't get it, but it is working so I am not complaining.
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system.
I don't believe you need the forward rule since you're doing NAT. What does your entire NAT table look like?
Barry Brimer wrote:
/sbin/ifconfig eth0:1 $WIN_EXTERNAL_IP netmask $ETH0_NETMASK broadcast $ETH0_BCAST /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $WIN_EXTERNAL_IP --dport 80 -j DNAT --to $WIN_INTERNAL_IP:80 /sbin/iptables -A FORWARD -p tcp -i eth0 -d $WIN_INTERNAL_IP --dport 80 -j ACCEPT
I have this log entry at the bottom of the firewall rules:
/sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD "
When I try to go to the external IP address http://a.b.c.d from another network, I get an error.
Do you have return POSTROUTING rules in your iptables nat table, have you enabled ip forwarding?
and, have you loaded the IP Connection Tracker module? I believe thats required to properly track connections through the NAT process.
# modprobe ip_conntrack
-
Barry Brimer -
John R Pierce -
Neil Aggarwal