[CentOS] Port Forwarding woes

Mon Apr 27 16:50:09 UTC 2009
D Tucny <d at tucny.com>

2009/4/28 Bo Lynch <blynch at ameliaschools.com>

> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
> > Bo Lynch wrote:
> >> I'm having some port forwarding issues issues with iptables.
> >> We are using iptables as a firewall with 2 nics and on ip alias.
> >> I'm trying to port forward on the alias ip
> >> eth0 = 65.x.x.1
> >> eth0:1 = 65.x.x.2
> >> eth1 = 192.168.x.x
> >>
> >> I'm wanting to forward certain ports(80,5071...etc) that makes request
> >> on
> >> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup
> >> the
> >> following rules but I must be doing something wrong.
> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j
> >> DNAT --to-destination 192.168.x.x:80
> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j
> >> DNAT --to-destination 192.168.x.x:5071
> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT
> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
> >>
> >> Any help would be greatly appreciated.
> >> Thanks
> >>
> > Try
> >
> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j
> > ACCEPT
> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j
> > ACCEPT
> >
> >
> >
> Tried that with no luck. Here is what my NAT looks like.
> [root at localhost ~]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             65.161.127.70       tcp dpt:http
> to:192.168.1.3:80
>

<snip>


> To me it looks like it should work. When I try and do a telnet on the port
> number I get a connection refused. Is using an alias a problem?
>

It should, and does, work, even with an alias...

The fact you are getting connection refused suggests that the traffic is
going somewhere and responses are getting back, rather than disappearing
into a hole, which is good...
Are you sure traffic to that address is getting to your eth0 interface and
not going to another device or being blocked by your router?
Capturing traffic using tcpdump while testing would confirm this, i.e.
tcpdump -i any -n port 5071 would show packets coming in on eth0 and going
out on eth1 if everything is working, or only coming in on eth0 if something
within this box is preventing forwarding, or nothing at all which would show
that the traffic wasn't even making it to your machine...

d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090428/b2bf2258/attachment-0004.html>