[CentOS] Port Forwarding woes
blynch at ameliaschools.com
Mon Apr 27 21:01:06 UTC 2009
On Mon, April 27, 2009 12:50 pm, D Tucny wrote:
> 2009/4/28 Bo Lynch <blynch at ameliaschools.com>
>> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
>> > Bo Lynch wrote:
>> >> I'm having some port forwarding issues issues with iptables.
>> >> We are using iptables as a firewall with 2 nics and on ip alias.
>> >> I'm trying to port forward on the alias ip
>> >> eth0 = 65.x.x.1
>> >> eth0:1 = 65.x.x.2
>> >> eth1 = 192.168.x.x
>> >> I'm wanting to forward certain ports(80,5071...etc) that makes
>> >> on
>> >> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have
>> >> the
>> >> following rules but I must be doing something wrong.
>> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80
>> >> DNAT --to-destination 192.168.x.x:80
>> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071
>> >> DNAT --to-destination 192.168.x.x:5071
>> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j
>> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j
>> >> Any help would be greatly appreciated.
>> >> Thanks
>> > Try
>> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80
>> > ACCEPT
>> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071
>> > ACCEPT
>> Tried that with no luck. Here is what my NAT looks like.
>> [root at localhost ~]# iptables -t nat -L
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> DNAT tcp -- anywhere 18.104.22.168 tcp
>> To me it looks like it should work. When I try and do a telnet on the
>> number I get a connection refused. Is using an alias a problem?
> It should, and does, work, even with an alias...
> The fact you are getting connection refused suggests that the traffic is
> going somewhere and responses are getting back, rather than disappearing
> into a hole, which is good...
> Are you sure traffic to that address is getting to your eth0 interface and
> not going to another device or being blocked by your router?
> Capturing traffic using tcpdump while testing would confirm this, i.e.
> tcpdump -i any -n port 5071 would show packets coming in on eth0 and going
> out on eth1 if everything is working, or only coming in on eth0 if
> within this box is preventing forwarding, or nothing at all which would
> that the traffic wasn't even making it to your machine...
I think I found the culprit but not sure if by taking this out it will be
a risk. When I remove this statement things work....
iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
If I drop the NEW it works. Should I be concerned from I security stand
More information about the CentOS