muiz wrote: > Dear all, > Below is my iptables default settings: (only open port 22 and 8080 > (webcache)) > ------------------------------------------------------------------------------------------------------------- > [root at localhost ~]# /sbin/iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:webcache > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ------------------------------------------------------------------------------------------------------------- > > To Ljubomir: > The remote server a.b.c.d services port 8181. And local server forward > its port 8080 to remote 8181. > > > At 2011-06-27£¬"Ljubomir Ljubojevic" <office at plnet.rs> wrote: > >>Marian Marinov wrote: >>> On Monday 27 June 2011 07:15:33 muiz wrote: >>>> Marian, I'm very happy you're online :)I think I have try the record you >>>> mention just now. And I would like to clear what I have done (the scripts >>>> I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 >>>> --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s >>>> 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 > >>>> /proc/sys/net/ipv4/ip_fowardThen it's not to work! >>> >>> You have to have some other iptables rules that block the traffic since this has >>> to work. >>> >>> Marian >>> >>>> At 2011-06-27£¬"Marian Marinov" <mm at yuhu.biz> wrote: >>>>> On Monday 27 June 2011 06:50:27 muiz wrote: >>>>>> Dear Marian and all, >>>>>> >>>>>> It seems don't works: >>>>>> /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to >>>>>> a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s >>>>>> 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 > >>>>>> /proc/sys/net/ipv4/ip_foward >>>>> Yup, its normal not to work... You got the SNAT rule wrong :) >>>>> >>>>> It should be to the IP of the server that is DOING the forwarding... >>>>> >>>>> so >>>>> >>>>> /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 >>>>> --to 192.168.1.250 >>>>> >>>>> Marian >>>>> >>>>>> I check the Fedora iptables setting: /etc/sysconfig/iptables files: >>>>>> ... >>>>>> >>>>>> :POSTROUTING ACCEPT [0:0] >>>>>> >>>>>> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination >>>>>> a.b.c.d:8080 .... >>>>>> >>>>>> :OUTPUT ACCEPT [0:0] >>>>>> >>>>>> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport >>>>>> 8080 -j ACCEPT >>>>>> >>>>>> >>>>>> And more rules I add is : >>>>>> /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j >>>>>> MASQUERADE >>>>>> >>>>>> >>>>>> Then it works! But if I don't use system-config-firewall GUI tools, >>>>>> then how? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Thanks very much ! >>>>>> >>>>>> At 2011-06-27£¬"Marian Marinov" <mm at yuhu.biz> wrote: >>>>>>> On Monday 27 June 2011 00:08:08 muiz wrote: >>>>>>>> Thanks Marian, >>>>>>>> The server only has one IP. I think I should add more iptables >>>>>>>> records, only one NAT record is not enough,isit correct? If yes , >>>>>>>> then how? >>>>>>> Huh, I'm sorry yes you need a second rule. So the rules are: >>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to >>>>>>> a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s >>>>>>> local_ip/local_net --to 192.168.1.250 >>>>>>> echo 1 > /proc/sys/net/ipv4/ip_foward >>>>>>> >>>>>>> The Source NAT(SNAT) rule is needed, cause otherwise the packaets that >>>>>>> reach a.b.c.d will be comming from the ip of the local client not >>>>>>> 192.168.1.250 and so 192.168.1.250 will never receive the replies from >>>>>>> a.b.c.d. >>>>>>> Since the packets reach the client directly from a.b.c.d, the client >>>>>>> will simply disregard them and will wait for packets comming from >>>>>>> .1.250. >>>>>>> >>>>>>> So the SNAT rule changes the SOURCE IP of the packets to 1.250 so >>>>>>> a.b.c.d will return the answares to the right source. >>>>>>> >>>>>>> Marian >>>>>>> >>>>>>>> 2011-06-26 23:38:58£¬"Marian Marinov" <mm at yuhu.biz> wrote£º >>>>>>>> >>>>>>>>> On Sunday 26 June 2011 12:53:07 muiz wrote: >>>>>>>>>> Dear all, >>>>>>>>>> >>>>>>>>>> I would like to forward a port to an internet server, but >>>>>>>>>> failed. can you >>>>>>>>>> >>>>>>>>>> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 >>>>>>>>>> Remote server: IP: a.b.c.d Port: 8181 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 >>>>>>>>>> (forward) -> a.b.c.d Port: 8181 >>>>>>>>>> ----------------------------------------- In Fedora, I >>>>>>>>>> successfully to config the firewall using >>>>>>>>>> system-config-firewall and iptables command: 1. Run >>>>>>>>>> system-config-firewall >>>>>>>>>> >>>>>>>>>> 1.1 open local port 8080 >>>>>>>>>> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp >>>>>>>>>> >>>>>>>>>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward >>>>>>>>>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d >>>>>>>>>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks ! >>>>>>>>> You have to use Destination NAT for the job: >>>>>>>>> >>>>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to >>>>>>>>> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward >>>>>>>>> >>>>>>>>> If you have more then one IPs on the local machine its a good idea >>>>>>>>> to specify the destination -d 192.168.1.250 >>>>>>>>> >>>>>>>>> Marian >>>>>>>> _______________________________________________ >>>>>>>> CentOS mailing list >>>>>>>> CentOS at centos.org >>>>>>>> http://lists.centos.org/mailman/listinfo/centos >>> >> >>Actually, very BIG difference in two scripts is that on Fedora he >>redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port >>8181!!! >> >>And if correction of the port does not help, then he can try with >>additional rule: >> >>-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT >> >> >>Ljubomir >>_______________________________________________ >>CentOS mailing list >>CentOS at centos.org >>http://lists.centos.org/mailman/listinfo/centos > Please do not top post, write your answers bellow the text, like us. This is what you posted: > I check the Fedora iptables setting: /etc/sysconfig/iptables files: > > :POSTROUTING ACCEPT [0:0] > > -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination > a.b.c.d:8080 .... > > :OUTPUT ACCEPT [0:0] > > -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport > 8080 -j ACCEPT "--to-destination a.b.c.d:8080" means your Fedora box is redirecting traffic to remote port 8080, not 8181 like you asked on this list. Ljubomir