On Mon, April 27, 2009 12:50 pm, D Tucny wrote: > 2009/4/28 Bo Lynch <blynch at ameliaschools.com> > >> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote: >> > Bo Lynch wrote: >> >> I'm having some port forwarding issues issues with iptables. >> >> We are using iptables as a firewall with 2 nics and on ip alias. >> >> I'm trying to port forward on the alias ip >> >> eth0 = 65.x.x.1 >> >> eth0:1 = 65.x.x.2 >> >> eth1 = 192.168.x.x >> >> >> >> I'm wanting to forward certain ports(80,5071...etc) that makes >> request >> >> on >> >> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have >> setup >> >> the >> >> following rules but I must be doing something wrong. >> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 >> -j >> >> DNAT --to-destination 192.168.x.x:80 >> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 >> -j >> >> DNAT --to-destination 192.168.x.x:5071 >> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j >> ACCEPT >> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j >> ACCEPT >> >> >> >> Any help would be greatly appreciated. >> >> Thanks >> >> >> > Try >> > >> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 >> -j >> > ACCEPT >> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 >> -j >> > ACCEPT >> > >> > >> > >> Tried that with no luck. Here is what my NAT looks like. >> [root at localhost ~]# iptables -t nat -L >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> DNAT tcp -- anywhere 65.161.127.70 tcp >> dpt:http >> to:192.168.1.3:80 >> > > <snip> > > >> To me it looks like it should work. When I try and do a telnet on the >> port >> number I get a connection refused. Is using an alias a problem? >> > > It should, and does, work, even with an alias... > > The fact you are getting connection refused suggests that the traffic is > going somewhere and responses are getting back, rather than disappearing > into a hole, which is good... > Are you sure traffic to that address is getting to your eth0 interface and > not going to another device or being blocked by your router? > Capturing traffic using tcpdump while testing would confirm this, i.e. > tcpdump -i any -n port 5071 would show packets coming in on eth0 and going > out on eth1 if everything is working, or only coming in on eth0 if > something > within this box is preventing forwarding, or nothing at all which would > show > that the traffic wasn't even making it to your machine... > > d > _______________________________________________ I think I found the culprit but not sure if by taking this out it will be a risk. When I remove this statement things work.... iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP If I drop the NEW it works. Should I be concerned from I security stand point?