Quoting Bo Lynch <blynch at ameliaschools.com>: > On Mon, April 27, 2009 12:01 pm, Dan Carl wrote: > > Bo Lynch wrote: > >> I'm having some port forwarding issues issues with iptables. > >> We are using iptables as a firewall with 2 nics and on ip alias. > >> I'm trying to port forward on the alias ip > >> eth0 = 65.x.x.1 > >> eth0:1 = 65.x.x.2 > >> eth1 = 192.168.x.x > >> > >> I'm wanting to forward certain ports(80,5071...etc) that makes request > >> on > >> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup > >> the > >> following rules but I must be doing something wrong. > >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j > >> DNAT --to-destination 192.168.x.x:80 > >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j > >> DNAT --to-destination 192.168.x.x:5071 > >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT > >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT > >> > >> Any help would be greatly appreciated. > >> Thanks > >> > > Try > > > > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j > > ACCEPT > > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j > > ACCEPT > > > > > > > Tried that with no luck. Here is what my NAT looks like. > [root at localhost ~]# iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http > to:192.168.1.3:80 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:powerschool to:192.168.1.3:5071 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu to:192.168.1.3:407 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv1 to:192.168.1.3:1417 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv2 to:192.168.1.3:1418 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv3 to:192.168.1.3:1419 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv4 to:192.168.1.3:1420 > DNAT tcp -- anywhere 65.161.127.70 tcp dpt:7880 > to:192.168.1.3:7880 > DNAT tcp -- anywhere 65.161.127.70 tcp dpt:https > to:192.168.1.3:443 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu to:192.168.1.3:407 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv1 to:192.168.1.3:1417 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv2 to:192.168.1.3:1418 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv3 to:192.168.1.3:1419 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv4 to:192.168.1.3:1420 > DNAT udp -- anywhere 65.161.127.70 udp dpt:7880 > to:192.168.1.3:7880 > > To me it looks like it should work. When I try and do a telnet on the port > number I get a connection refused. Is using an alias a problem? Do you have ip forwarding enabled? Does 'cat /proc/sys/net/ipv4/ip_forward' show 1 or 0? Is there a service listening on the port you are forwarding to, and can you get to this service from a machine on the internal network?