[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Port forwarding problems



On Thursday 01 August 2002 18:07, af af wrote:
> The http server works fine in the local net, I am able
> to use it from the fw box also. But the portforwarding
> doesn't work (ie the server is not visible from
> outside). Also, no traces of the connection appear in
> /proc/net/ip_conntrack.
>
> I'm using the following ruleset for testing:
> (eth0 is the external interface,
> 10.111.111.11 is the http server in the local net)
> ----------------------------------------------
> insmod ip_conntrack
> insmod ip_nat_ftp
> insmod ip_conntrack_ftp
> insmod ip_conntrack_irc
>
> iptables -F
> iptables -t nat -F
> iptables -X
>
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 \
>          -i eth0 -j DNAT --to 10.111.111.11:80
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> ----------------------------------------------
>
> Any comments?

The only thing I can think of right now is that the input interface 
might be "misunderstood". Perhaps try  to match with the source IP 
instead by using

iptables -t nat -A PREROUTING -p tcp --dport 80 -s ! <internalnet> \
  -j DNAT --to 10.111.111.11:80

with <internalnet> set to something like 10.111.111.0/24 or whatever 
matches your configuration. You cold also see if after setting up the 
rules and trying to connect from an external host whether packets were 
matched. You can do this with

iptables -t nat -nvL

which prints packet and bytecounts for every rule.

-- 
Embedded Linux -- True multitasking!
TWO TOASTS AT THE SAME TIME!



Reply to: