Quoting Bo Lynch <blynch at ameliaschools.com>: > On Mon, April 27, 2009 12:50 pm, D Tucny wrote: > > 2009/4/28 Bo Lynch <blynch at ameliaschools.com> > > > >> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote: > >> > Bo Lynch wrote: > >> >> I'm having some port forwarding issues issues with iptables. > >> >> We are using iptables as a firewall with 2 nics and on ip alias. > >> >> I'm trying to port forward on the alias ip > >> >> eth0 = 65.x.x.1 > >> >> eth0:1 = 65.x.x.2 > >> >> eth1 = 192.168.x.x > >> >> > >> >> I'm wanting to forward certain ports(80,5071...etc) that makes > >> request > >> >> on > >> >> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have > >> setup > >> >> the > >> >> following rules but I must be doing something wrong. > >> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 > >> -j > >> >> DNAT --to-destination 192.168.x.x:80 > >> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 > >> -j > >> >> DNAT --to-destination 192.168.x.x:5071 > >> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j > >> ACCEPT > >> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j > >> ACCEPT > >> >> > >> >> Any help would be greatly appreciated. > >> >> Thanks > >> >> > >> > Try > >> > > >> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 > >> -j > >> > ACCEPT > >> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 > >> -j > >> > ACCEPT > >> > > >> > > >> > > >> Tried that with no luck. Here is what my NAT looks like. > >> [root at localhost ~]# iptables -t nat -L > >> Chain PREROUTING (policy ACCEPT) > >> target prot opt source destination > >> DNAT tcp -- anywhere 65.161.127.70 tcp > >> dpt:http > >> to:192.168.1.3:80 > >> > > > > <snip> > > > > > >> To me it looks like it should work. When I try and do a telnet on the > >> port > >> number I get a connection refused. Is using an alias a problem? > >> > > > > It should, and does, work, even with an alias... > > > > The fact you are getting connection refused suggests that the traffic is > > going somewhere and responses are getting back, rather than disappearing > > into a hole, which is good... > > Are you sure traffic to that address is getting to your eth0 interface and > > not going to another device or being blocked by your router? > > Capturing traffic using tcpdump while testing would confirm this, i.e. > > tcpdump -i any -n port 5071 would show packets coming in on eth0 and going > > out on eth1 if everything is working, or only coming in on eth0 if > > something > > within this box is preventing forwarding, or nothing at all which would > > show > > that the traffic wasn't even making it to your machine... > > > > d > > _______________________________________________ > I think I found the culprit but not sure if by taking this out it will be > a risk. When I remove this statement things work.... > iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP > > If I drop the NEW it works. Should I be concerned from I security stand > point? If you don't drop the NEW, it won't work. It is fine to drop INVALID traffic.