Re: Port forwarding problems
On Thursday 01 August 2002 18:07, af af wrote:
> The http server works fine in the local net, I am able
> to use it from the fw box also. But the portforwarding
> doesn't work (ie the server is not visible from
> outside). Also, no traces of the connection appear in
> /proc/net/ip_conntrack.
>
> I'm using the following ruleset for testing:
> (eth0 is the external interface,
> 10.111.111.11 is the http server in the local net)
> ----------------------------------------------
> insmod ip_conntrack
> insmod ip_nat_ftp
> insmod ip_conntrack_ftp
> insmod ip_conntrack_irc
>
> iptables -F
> iptables -t nat -F
> iptables -X
>
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 \
> -i eth0 -j DNAT --to 10.111.111.11:80
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> ----------------------------------------------
>
> Any comments?
The only thing I can think of right now is that the input interface
might be "misunderstood". Perhaps try to match with the source IP
instead by using
iptables -t nat -A PREROUTING -p tcp --dport 80 -s ! <internalnet> \
-j DNAT --to 10.111.111.11:80
with <internalnet> set to something like 10.111.111.0/24 or whatever
matches your configuration. You cold also see if after setting up the
rules and trying to connect from an external host whether packets were
matched. You can do this with
iptables -t nat -nvL
which prints packet and bytecounts for every rule.
--
Embedded Linux -- True multitasking!
TWO TOASTS AT THE SAME TIME!
Reply to: