Re: Portforwarding
--- Jan Tammen <luser@tammen.net> (2001-09-28 19:30):
> I'm using potato and kernel 2.4.8. I'm trying to map some ports to a
> client inside my NAT-network. So far i'm using this, but it seems to
> have no effect:
>
> iptables -t nat -A PREROUTING -p tcp -i mydevice --dport 1111 -j DNAT --to
> client_ip:1111
>
> ... and so on, and then:
>
> iptables -A FORWARD -i mydevice -p tcp -d client_ip --dport 1111 -j ACCEPT
^^^^^^^^^^^^
I think this is where the problem lies, since the firewall will only
forward requests that it receives that have the destination of the
internal machine, which may well be from a reserved ip address range
(like 192.168.x.x).
What should be happening is the firewall should be forwarding requests
that have the firewall's external interface as the destination. For
example, if your firewall has the ip address 1.2.3.4 on its internet
facing interface, and 192.168.0.1 on its internal facing interface, then
it'll generally only get destination 1.2.3.4 packets on the external
interface. The FORWARD line you have above is asking the firewall to
only forward packets that it receives on its 1.2.3.4 interface, but that
have the destination 192.168.0.x. If your ISP's routers are configured
correctly, you won't get many packets that are not destined for the
1.2.3.4 interface...
I hope all that made some sense :) Give it a try without the -d option
and see what happens. For reference, here are the two rules I have to
forward ssh connections from the outside through my firewall to my home
workstation.
# ssh forwarding to my workstation
${IPTABLES} -A FORWARD -p tcp -i ${EXTERNAL_IFACE} -o ${INTERNAL_IFACE} --dport ssh -j ACCEPT
${IPTABLES} -t nat -A PREROUTING -i ${EXTERNAL_IFACE} -p tcp --dport ssh -j DNAT --to 192.168.1.2:22
HTH,
Sean
--
Sean Quinlan (smq@gmx.co.uk)
Reply to: