Re: iptables port fowarding?

To: Rick Pasotto <rick@niof.net>
Cc: debian-user@lists.debian.org
Subject: Re: iptables port fowarding?
From: Michel Loos <loos@qt1.iq.usp.br>
Date: 17 Feb 2002 21:37:58 -0300
Message-id: <[🔎] 1013992680.23238.69.camel@michel>
In-reply-to: <[🔎] 20020217235508.GK22233@tc.niof.net>
References: <[🔎] 20020217053708.GF22233@tc.niof.net> <[🔎] 20020217114325.GA3752@UnderGrid.net> <[🔎] 20020217235508.GK22233@tc.niof.net>

Em Dom, 2002-02-17 às 20:55, Rick Pasotto escreveu:
> On Sun, Feb 17, 2002 at 03:43:25AM -0800, Jeremy T. Bouse wrote:
> > On Sun, Feb 17, 2002 at 12:37:08AM -0500, Rick Pasotto wrote:
> > > How do I port forward with iptables? With ipchains the command was:
> > > 
> > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port
> > 
> > 	What I have in my firewall rules script built with Firewall
> > Builder 1.0.0 (fwbuilder) to do port forwarding is:
> > 
> > iptables -t nat -A PREROUTING -p tcp -s <SRC_IP> -d <EXT_IP>
> > --destination-port <PORT> -j DNAT --to-destination <INT_IP>:<PORT>
> > 
> > 	This works very good... In fact all my machines are behind the
> > firewall and only have what ports are forward'd in available...
> 
> OK. Here is the rule I used:
> 
> iptables -t nat -A PREROUTING -p tcp -s 64.34.82.201 -d 192.168.0.1
> --destination-port 2047 -j DNAT --to-destination 192.168.0.5:2047
> 
> When I activate the program on the windows box (192.168.0.5) tcpdump
> reports lots of hits on eth0 port 2047 but nothing on eth1 port 2047
> and the program doesn't respond like it should.
> 

Your rule is for connections originating at ip 64.34.82.201 with
destination to port 2047 on 192.168.0.1 which is nearly to impossible 
since the 192.168 is not visible to 64.34.82.201.

+ it seems you want to do somethin originating at 192.168.0.5 while this
is the final destination of your routing.

What you meant is probably any source (omit the -s) -d 64.34.82.201 (if
this is the public IP of your frontend) remainder seems fine.

> What am I misunderstanding? Does it matter whether the SNAT (to do
> masquerading) or the DNAT rule comes first?
> 

No PREROUTING (dnat) is always treated before POSTROUTING (snat)


> Also, how do you list the nat chains? 'iptables -L' only lists the
> filter chains.
> 

iptables -L -t nat

Michel.

> -- 
> If each man has the right to defend, even by force, his person,
> his liberty, and his property, several men have the right to get
> together, come to an understanding, and organize a collective
> force to provide regularly for this defense.
> 	-- Frédéric Bastiat (1801-1850)
>     Rick Pasotto    rickp@telocity.com    http://www.niof.net
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

Follow-Ups:
- PAM Critical error, but no logging
  - From: Xeno Campanoli <xeno@eskimo.com>

References:
- iptables port fowarding?
  - From: Rick Pasotto <rick@niof.net>
- Re: iptables port fowarding?
  - From: "Jeremy T. Bouse" <jbouse@debian.org>
- Re: iptables port fowarding?
  - From: Rick Pasotto <rick@niof.net>

Prev by Date: Re: iptables port fowarding?
Next by Date: Re: Problem with postfix relaying
Previous by thread: Re: iptables port fowarding?
Next by thread: PAM Critical error, but no logging
Index(es):
- Date
- Thread