[CentOS] Port Forwarding woes

Mon Apr 27 17:57:30 UTC 2009
Dan Carl <danc at bluestarshows.com>

Bo Lynch wrote:
> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
>   
>> Bo Lynch wrote:
>>     
>>> I'm having some port forwarding issues issues with iptables.
>>> We are using iptables as a firewall with 2 nics and on ip alias.
>>> I'm trying to port forward on the alias ip
>>> eth0 = 65.x.x.1
>>> eth0:1 = 65.x.x.2
>>> eth1 = 192.168.x.x
>>>
>>> I'm wanting to forward certain ports(80,5071...etc) that makes request
>>> on
>>> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup
>>> the
>>> following rules but I must be doing something wrong.
>>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j
>>> DNAT --to-destination 192.168.x.x:80
>>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j
>>> DNAT --to-destination 192.168.x.x:5071
>>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT
>>> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
>>>
>>> Any help would be greatly appreciated.
>>> Thanks
>>>
>>>       
>> Try
>>
>> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j
>> ACCEPT
>> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j
>> ACCEPT
>>
>>
>>
>>     
> Tried that with no luck. Here is what my NAT looks like.
> [root at localhost ~]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             65.161.127.70       tcp dpt:http
> to:192.168.1.3:80
> DNAT       tcp  --  anywhere             65.161.127.70       tcp
> dpt:powerschool to:192.168.1.3:5071
> DNAT       tcp  --  anywhere             65.161.127.70       tcp
> dpt:timbuktu to:192.168.1.3:407
> DNAT       tcp  --  anywhere             65.161.127.70       tcp
> dpt:timbuktu-srv1 to:192.168.1.3:1417
> DNAT       tcp  --  anywhere             65.161.127.70       tcp
> dpt:timbuktu-srv2 to:192.168.1.3:1418
> DNAT       tcp  --  anywhere             65.161.127.70       tcp
> dpt:timbuktu-srv3 to:192.168.1.3:1419
> DNAT       tcp  --  anywhere             65.161.127.70       tcp
> dpt:timbuktu-srv4 to:192.168.1.3:1420
> DNAT       tcp  --  anywhere             65.161.127.70       tcp dpt:7880
> to:192.168.1.3:7880
> DNAT       tcp  --  anywhere             65.161.127.70       tcp dpt:https
> to:192.168.1.3:443
> DNAT       udp  --  anywhere             65.161.127.70       udp
> dpt:timbuktu to:192.168.1.3:407
> DNAT       udp  --  anywhere             65.161.127.70       udp
> dpt:timbuktu-srv1 to:192.168.1.3:1417
> DNAT       udp  --  anywhere             65.161.127.70       udp
> dpt:timbuktu-srv2 to:192.168.1.3:1418
> DNAT       udp  --  anywhere             65.161.127.70       udp
> dpt:timbuktu-srv3 to:192.168.1.3:1419
> DNAT       udp  --  anywhere             65.161.127.70       udp
> dpt:timbuktu-srv4 to:192.168.1.3:1420
> DNAT       udp  --  anywhere             65.161.127.70       udp dpt:7880
> to:192.168.1.3:7880
>
> To me it looks like it should work. When I try and do a telnet on the port
> number I get a connection refused. Is using an alias a problem?
> Bo Lynch
>
>
>   
It will work and does for me here.

Try putting this at the beginning of your script.

echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

Verify the alias is setup correctly with ifconfig.

Dan