I've just set up a new machine running debian testing with a 2.6.15 kernel and I'm having some real trouble getting port forwarding to work.. I've got two NIC's and I'm using the following simple firewall script: EXTIF="external" #used ifrename to rename interface (see below for details) INTIF="internal" EXTIP="216.125.24.45" PORTFWIP="192.168.1.120" IPTABLES=/sbin/iptables echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8090 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 8090 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $PORTFWIP:8090 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE ---------------------------------------------------------------------------------------------------- I've been trying to telnet from an external machine to 216.125.24.45:8090, in hopes that it'll be forwarded to 192.168.1.120:8090, but no matter what I do, I can't get the forwarding to work. If I run tcpdump on the gateway machine (216.125.24.45) by using: sudo tcpdump -i internal tcp port 8090 and src or dst net 192.168.1.120 -vv And then try to telnet to port 8090 from another machine on the internet, I get the following: 00:29:14.353035 IP (tos 0x0, ttl 54, id 18514, offset 0, flags [DF], proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 > 192.168.1.120.8090: S, cksum 0x1463 (correct), 2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale 0,nop,nop,timestamp 1065216778 0> 00:29:17.130277 IP (tos 0x0, ttl 54, id 18517, offset 0, flags [DF], proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 > 192.168.1.120.8090: S, cksum 0x145e (correct), 2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale 0,nop,nop,timestamp 1065216783 0> 00:29:20.141817 IP (tos 0x0, ttl 54, id 18520, offset 0, flags [DF], proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 > 192.168.1.120.8090: S, cksum 0x1458 (correct), 2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale 0,nop,nop,timestamp 1065216789 0> 00:29:23.140816 IP (tos 0x0, ttl 54, id 18523, offset 0, flags [DF], proto: TCP (6), length: 44) wilshire.dreamhost.com.55787 > 192.168.1.120.8090: S, cksum 0x8c09 (correct), 2921922032:2921922032(0) win 65535 <mss 1400> 00:29:26.136867 IP (tos 0x0, ttl 54, id 18525, offset 0, flags [DF], proto: TCP (6), length: 44) wilshire.dreamhost.com.55787 > 192.168.1.120.8090: S, cksum 0x8c09 (correct), 2921922032:2921922032(0) win 65535 <mss 1400> and then in /var/log/kern.log, I see the following: Apr 12 23:38:53 asterisk kernel: IN=external OUT=internal SRC="" DST=192.168.1.120 LEN=44 TOS=0x00 PREC=0x00 TTL=54 ID=14381 DF PROTO=TCP SPT=55698 DPT=8090 WINDOW=65535 RES=0x00 SYN URGP=0 if I then run tcpdump on the internal machine (192.168.1.120) by using: sudo tcpdump -vv -i em0 port 8090 (FreeBSD box) I get: 00:32:30.014144 IP (tos 0x0, ttl 47, id 19712, offset 0, flags [DF], proto: TCP (6), length: 60) wilshire.dreamhost.com.47191 > 192.168.1.120.8090: S, cksum 0xb12b (correct), 4194765628:4194765628(0) win 5840 <mss 1400,sackOK,timestamp 21967827 0,nop,wscale 0> so it looks like packets are actually being forwarded from the external machine (216.125.24.45) to the internal machine (192.168.1.120), but unfortunately, I can't make a connection, my telnet client just sits there. I've tried forwarding many different services, such as http, ssh, etc, but the same thing happens (at the moment, I'm just using a simple ruby tcp server on port 8090 which responds with the current date/time). So as far as I can tell, I'm doing everything right, I've got all the proper modules loaded, but for some reason, forwarding just refuses to work properly. Also, if I try to telnet from the gateway machine directly to 192.168.1.120:8090, it works perfectly.. I've used this exact same set up on a few other boxes in the past and I've had no problems.. The only thing I can think of which may be responsible for this problem is that I'm using ifrename to map my network cards to different names, such as "internal" and "external" instead of eth0 and eth1 (I had to map names to mac-addresses for the cards, because they were randomly being assigned to different ethernet interfaces upon each boot, ie sometimes my dlink card would be eth0, other times it would be eth1). I'd really like to get this to work, since I have a bunch of SIP phones behind my firewall, and I'd like to be able to port forward to them so I can receive calls. If anyone has any suggestions or advice, please let me know - I'm starting to pull my hair out on this one! Thanks in advance Mike included below is the output from "iptables -t nat -n -L" ---------------------------------------------------------------- Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 216.125.24.45 tcp dpt:8090 state NEW,RELATED,ESTABLISHED to:192.168.1.120:8090 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ---------------------------------------------------------------- and iptables -n -L shows: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8090 state NEW,RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT) target prot opt source ---------------------------------------------------------------- and sockstat -4 (bsd command) shows: mike ruby 41105 3 tcp4 192.168.1.120:8090 *:*