Port forwarding - problem resolved
Now i know why it did not work, but here is more exact (and easy to
understand) explanation for those who are interested:
One more time: the situation:
|
|
| 1.2.3.5______
|-------| BOX 3 |
| ---------
|
____|1.2.3.4
| BOX 1 |
-----------
|192.168.2.1
|
|
|
|
_______|_192.168.2.3
| BOX 2 |
---------
Boxen 3 and 1 are on real Internet.
Boxen 2 and 1 are also connected to a unroutable LAN.
Therefore box1 makes masquerading for box2 (using ipchains on 2.2.x kernel)
There are web servers on ports 80 on boxen 1 and 2.
The firewall rules on box 1. are in attachment.
recently I wanted to forward port 8888 on box1 to port 80 on box 2 (so that
the machines on the internet can use the web server on box 2)
After reading a lot of web pages I managed to understand that onn kernel
2.2.x i have to use "ipmasqadm portfw" to achieve this.
The rules i made using it are in attachment.
Do not understand me wrong: this WORKS JUST OK!
(ie. when i connect from box3 to "http://box1:8888/"; i _can_ see box2's web
server.
But, for some weird reasons too complicated to explain them here i wanted to
see box2's web server by port http://box1:8888/ also from box1 as well as
from box2. (i know i could connect directly to http://box2:80/ in such case,
but i needed a unique address)
And this did not work! (even though i praised Lord :)
Here was the psyhical breakdown and lists crossposting :))
Then i downloaded lots of web pages about masquerading and read them until
2:00 A.M. And then in some FAQ i have found an information that it simply
will not work because of the way the forwarding is implemented.
:(
But after a discussion here we decided we can do it other way anyway, so we
do not need such weird forwarding now.
One way or another, thanks for your answers :)
cheers
--
---------------------------------------------------
Marcin Owsiany
porridge@lo4.ids.bielsko.pl
---------------------------------------------------
Script started on Wed Jun 30 18:53:38 1999
[root@pandora /root]# ipchains -L -n
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 192.168.2.0/24 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 1.2.3.4 n/a
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ all ------ 192.168.2.0/24 0.0.0.0/0 n/a
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 0.0.0.0/0 192.168.2.0/24 n/a
ACCEPT all ------ 1.2.3.4 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
[root@pandora /root]# ipmasqadm portfw -l -n
prot localaddr rediraddr lport rport pcnt pref
TCP 127.0.0.1 192.168.2.3 8888 80 10 10
TCP 192.168.2.1 192.168.2.3 8080 80 10 10
TCP 1.2.3.4 192.168.2.3 8888 80 10 10
[root@pandora /root]# telnet 192.168.2.1 8888
Trying 192.168.2.1...
telnet: Unable to connect to remote host: Connection refused
[root@pandora /root]# telnet 1.2.3.4 8888
Trying 1.2.3.4...
telnet: Unable to connect to remote host: Connection refused
[root@pandora /root]# telnet localhost 8888
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[root@pandora /root]# telnet 192.168.2.3 80
Trying 192.168.2.3...
Connected to 192.168.2.3.
Escape character is '^]'.
get
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
get to /index.html not supported.<P>
</BODY></HTML>
Connection closed by foreign host.
[root@pandora /root]# exit
Script done on Wed Jun 30 18:57:02 1999
Reply to: