[CentOS] Port Forwarding woes

Mon Apr 27 20:01:06 UTC 2009
Bo Lynch <blynch at ameliaschools.com>

On Mon, April 27, 2009 12:50 pm, D Tucny wrote:
> 2009/4/28 Bo Lynch <blynch at ameliaschools.com>
>
>> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
>> > Bo Lynch wrote:
>> >> I'm having some port forwarding issues issues with iptables.
>> >> We are using iptables as a firewall with 2 nics and on ip alias.
>> >> I'm trying to port forward on the alias ip
>> >> eth0 = 65.x.x.1
>> >> eth0:1 = 65.x.x.2
>> >> eth1 = 192.168.x.x
>> >>
>> >> I'm wanting to forward certain ports(80,5071...etc) that makes
>> request
>> >> on
>> >> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have
>> setup
>> >> the
>> >> following rules but I must be doing something wrong.
>> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80
>> -j
>> >> DNAT --to-destination 192.168.x.x:80
>> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071
>> -j
>> >> DNAT --to-destination 192.168.x.x:5071
>> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j
>> ACCEPT
>> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j
>> ACCEPT
>> >>
>> >> Any help would be greatly appreciated.
>> >> Thanks
>> >>
>> > Try
>> >
>> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80
>> -j
>> > ACCEPT
>> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071
>> -j
>> > ACCEPT
>> >
>> >
>> >
>> Tried that with no luck. Here is what my NAT looks like.
>> [root at localhost ~]# iptables -t nat -L
>> Chain PREROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> DNAT       tcp  --  anywhere             65.161.127.70       tcp
>> dpt:http
>> to:192.168.1.3:80
>>
>
> <snip>
>
>
>> To me it looks like it should work. When I try and do a telnet on the
>> port
>> number I get a connection refused. Is using an alias a problem?
>>
>
> It should, and does, work, even with an alias...
>
> The fact you are getting connection refused suggests that the traffic is
> going somewhere and responses are getting back, rather than disappearing
> into a hole, which is good...
> Are you sure traffic to that address is getting to your eth0 interface and
> not going to another device or being blocked by your router?
> Capturing traffic using tcpdump while testing would confirm this, i.e.
> tcpdump -i any -n port 5071 would show packets coming in on eth0 and going
> out on eth1 if everything is working, or only coming in on eth0 if
> something
> within this box is preventing forwarding, or nothing at all which would
> show
> that the traffic wasn't even making it to your machine...
>
> d
> _______________________________________________
I think I found the culprit but not sure if by taking this out it will be
a risk. When I remove this statement things work....
iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP

If I drop the NEW it works. Should I be concerned from I security stand
point?