Bo Lynch wrote: > On Mon, April 27, 2009 12:01 pm, Dan Carl wrote: > >> Bo Lynch wrote: >> >>> I'm having some port forwarding issues issues with iptables. >>> We are using iptables as a firewall with 2 nics and on ip alias. >>> I'm trying to port forward on the alias ip >>> eth0 = 65.x.x.1 >>> eth0:1 = 65.x.x.2 >>> eth1 = 192.168.x.x >>> >>> I'm wanting to forward certain ports(80,5071...etc) that makes request >>> on >>> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup >>> the >>> following rules but I must be doing something wrong. >>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j >>> DNAT --to-destination 192.168.x.x:80 >>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j >>> DNAT --to-destination 192.168.x.x:5071 >>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT >>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT >>> >>> Any help would be greatly appreciated. >>> Thanks >>> >>> >> Try >> >> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j >> ACCEPT >> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j >> ACCEPT >> >> >> >> > Tried that with no luck. Here is what my NAT looks like. > [root at localhost ~]# iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http > to:192.168.1.3:80 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:powerschool to:192.168.1.3:5071 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu to:192.168.1.3:407 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv1 to:192.168.1.3:1417 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv2 to:192.168.1.3:1418 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv3 to:192.168.1.3:1419 > DNAT tcp -- anywhere 65.161.127.70 tcp > dpt:timbuktu-srv4 to:192.168.1.3:1420 > DNAT tcp -- anywhere 65.161.127.70 tcp dpt:7880 > to:192.168.1.3:7880 > DNAT tcp -- anywhere 65.161.127.70 tcp dpt:https > to:192.168.1.3:443 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu to:192.168.1.3:407 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv1 to:192.168.1.3:1417 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv2 to:192.168.1.3:1418 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv3 to:192.168.1.3:1419 > DNAT udp -- anywhere 65.161.127.70 udp > dpt:timbuktu-srv4 to:192.168.1.3:1420 > DNAT udp -- anywhere 65.161.127.70 udp dpt:7880 > to:192.168.1.3:7880 > > To me it looks like it should work. When I try and do a telnet on the port > number I get a connection refused. Is using an alias a problem? > Bo Lynch > > > It will work and does for me here. Try putting this at the beginning of your script. echo "1" > /proc/sys/net/ipv4/ip_forward IPTABLES=/sbin/iptables $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X Verify the alias is setup correctly with ifconfig. Dan