AW: Netfilter Port Forwarding Problem
Hi!
I have a internet-connection (eth0) and a internal interface (eth1)
my goal is to forward the following tcp-port: 195.x.x.x:5900 =>
192.168.1.6:5900
On Debian/Sarge (Kernel 2.4.27-2-386 / iptables v1.2.11) does it work fine:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 195.x.x.x --dport 5900 -j
DNAT --to 192.168.1.6:5900
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.6 --dport 5900 -j ACCEPT
with nmap, I get the this State on the Port 5900
Port State Service
5900/tcp open vnc
On Debian/Etch (Kernel 2.6.18-4-k7 / iptables v1.3.6), I get the
"filtered"-State and I get connection refused on connecting
Port State Service
5900/tcp filtered vnc
I think the Kernel 2.6 has some different security-settings to Kernel 2.4
Does anybody know a solution for my problem?
best regards
Dom
> -----Ursprüngliche Nachricht-----
> Von: tomfi [mailto:tomfi@volny.cz]
> Gesendet: Montag, 30. April 2007 09:25
> An: Makara
> Cc: debian-firewall@lists.debian.org
> Betreff: Re: Netfilter Port Forwarding Problem
>
> You don't know why it works? Or you don't know why it does not work ?
>
> I think it doesn't work... If you have Internet connected
> Webserver and
> there is requirement to establish a connection over localnetwork to
> internet, the webserver try to respond over his internet connection,
> because server know diferent way to the Internet then your firewall.
>
> That's why.
>
> Tomfi
>
>
> Makara napsal(a):
> > Hi all,
> >
> > I have 2 internet connections ip $ipinet1 for other
> > traffics and $ipinet2 for mail it works properly.
> > I want to allow the connection from internet connect
> > to my local web server(172.16.0.4) via $ipinet1 so I
> > do port forwarding
> >
> > iptables -A PREROUTING -t nat -i $ifinet1 -d $ipinet1
> > -p tcp --dport 80 -j DNAT --to 172.16.0.4:80
> >
> > I allow FORWARD Rule from firewall to my local
> > webserver
> >
> > iptables -A FORWARD -m state --state
> > RELATED,ESTABLISHED -j ACCEPT
> >
> > iptables -A FORWARD -p tcp --dport 80 -i $ifinet1 -o
> > $iflocalnet -j ACCEPT
> >
> > I don't know why it does work? if you have any idea
> > please help.
> >
> > Thanks
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
Reply to: