[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[long] NAT & port forwarding iptables problem


We have set up a potato firewall using IPTABLES
(with Adrian Bunk's packages, but with kernel 2.4.3-pre6,
compiled by myself). It should do 
masquerading and port forwarding (we want connections
to ports 25 and 80 forwarded to our mail and web server,
besides some other things).

It mostly works as it is now, except for one problem:

>From the outside world, everything works perfectly,
and ports are forwarded:

jeronimo@pinheiros:~$ telnet xxx.xxx.xxx.xxx 80
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

from the internal network (, it seems
that ports are being forwarded, but after the connection
is established, nothing else happens:

jeronimo@juno:~$ telnet firewall 80
Trying xxx.xxx.xxx.xxx...

After zeroing the counters in the nat table, and trying
to connect from the internal LAN, it seems that the 
connection was forwarded:

 1    60 DNAT       tcp  --  *      *    
          xxx.xxx.xxx.xxx    tcp dpt:80 to: 
(line broken for readability)

Using the following rule:

$IPTABLES -t nat -A PREROUTING -p tcp -d --dport 80 \
        -j DNAT --to $WEB_SERVER:80

And trying to connect to the firewall internal ip (which
is also doesn't work:

jeronimo@juno$ telnet 80

sniffit shows that the connection was open, since some
files were generated, but the files were not closed. 

We have already trying disabling all port blocking, and
using ACCEPT as policy for INPUT, FORWARD, and OUTPUT,
and only setting up masquerading and port forwarding,
and the problem persists. 

The servers do not have any firewall rules, and connecting
to the using their internal IPs work:

jeronimo@juno:~$ telnet 80
Connected to
Escape character is '^]'.

These are the rules in the nat table:

IFACE=eth0     # external
IFACE_IN=eth1  # internal 
HOSTIP=xxx.xxx.xxx.xxx # external IP number


    echo 1 > /proc/sys/net/ipv4/ip_forward 

              -j MASQUERADE 

    $IPTABLES -t nat -A PREROUTING -d $HOSTIP -p tcp --dport 25 \ 
              -j DNAT --to $MAIL_SERVER:25 

    $IPTABLES -t nat -A PREROUTING -p tcp -d $HOSTIP --dport 80 \  
              -j DNAT --to $WEB_SERVER:80  

So... Shouldn't this work for the internal LAN too?

What could we be doing wrong here? I've read the NAT-howto,
and a few other documents on iptables, and I don't see
what we could have done wrong... 

Thanks a lot,

Reply to: