[CentOS] Port Forwarding woes
Dan Carl
danc at bluestarshows.com
Mon Apr 27 17:57:30 UTC 2009
Bo Lynch wrote:
> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
>
>> Bo Lynch wrote:
>>
>>> I'm having some port forwarding issues issues with iptables.
>>> We are using iptables as a firewall with 2 nics and on ip alias.
>>> I'm trying to port forward on the alias ip
>>> eth0 = 65.x.x.1
>>> eth0:1 = 65.x.x.2
>>> eth1 = 192.168.x.x
>>>
>>> I'm wanting to forward certain ports(80,5071...etc) that makes request
>>> on
>>> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup
>>> the
>>> following rules but I must be doing something wrong.
>>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j
>>> DNAT --to-destination 192.168.x.x:80
>>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j
>>> DNAT --to-destination 192.168.x.x:5071
>>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT
>>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
>>>
>>> Any help would be greatly appreciated.
>>> Thanks
>>>
>>>
>> Try
>>
>> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j
>> ACCEPT
>> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j
>> ACCEPT
>>
>>
>>
>>
> Tried that with no luck. Here is what my NAT looks like.
> [root at localhost ~]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http
> to:192.168.1.3:80
> DNAT tcp -- anywhere 65.161.127.70 tcp
> dpt:powerschool to:192.168.1.3:5071
> DNAT tcp -- anywhere 65.161.127.70 tcp
> dpt:timbuktu to:192.168.1.3:407
> DNAT tcp -- anywhere 65.161.127.70 tcp
> dpt:timbuktu-srv1 to:192.168.1.3:1417
> DNAT tcp -- anywhere 65.161.127.70 tcp
> dpt:timbuktu-srv2 to:192.168.1.3:1418
> DNAT tcp -- anywhere 65.161.127.70 tcp
> dpt:timbuktu-srv3 to:192.168.1.3:1419
> DNAT tcp -- anywhere 65.161.127.70 tcp
> dpt:timbuktu-srv4 to:192.168.1.3:1420
> DNAT tcp -- anywhere 65.161.127.70 tcp dpt:7880
> to:192.168.1.3:7880
> DNAT tcp -- anywhere 65.161.127.70 tcp dpt:https
> to:192.168.1.3:443
> DNAT udp -- anywhere 65.161.127.70 udp
> dpt:timbuktu to:192.168.1.3:407
> DNAT udp -- anywhere 65.161.127.70 udp
> dpt:timbuktu-srv1 to:192.168.1.3:1417
> DNAT udp -- anywhere 65.161.127.70 udp
> dpt:timbuktu-srv2 to:192.168.1.3:1418
> DNAT udp -- anywhere 65.161.127.70 udp
> dpt:timbuktu-srv3 to:192.168.1.3:1419
> DNAT udp -- anywhere 65.161.127.70 udp
> dpt:timbuktu-srv4 to:192.168.1.3:1420
> DNAT udp -- anywhere 65.161.127.70 udp dpt:7880
> to:192.168.1.3:7880
>
> To me it looks like it should work. When I try and do a telnet on the port
> number I get a connection refused. Is using an alias a problem?
> Bo Lynch
>
>
>
It will work and does for me here.
Try putting this at the beginning of your script.
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
Verify the alias is setup correctly with ifconfig.
Dan
More information about the CentOS
mailing list