Re: iptables natting

To: debian-user@lists.debian.org
Subject: Re: iptables natting
From: Shaun Lipscombe <shaun.lipscombe@gmsl.co.uk>
Date: Tue, 12 Jul 2005 18:01:38 +0100
Message-id: <[🔎] 20050712170138.GA9526@mail.gasops.co.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 200507121535.38769.graham@crazysquirrel.com>
References: <[🔎] 200507121535.38769.graham@crazysquirrel.com>

* Graham Smith wrote:

> Hi folks,
> 
> I've got a bit of a problem with setting up forwarding on my firewall and I 
> can't seem to figure out what I am doing wrong.
> 
> I have a tomcat server running on port 8080 on a machine in my network. I have 
> set up the following rules so that the outside world can get to it:
> 
> iptables -A FORWARD -i eth0 -o eth1 -d 192.168.0.10 -p tcp -j ACCEPT

You will also need :

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

This is to allow traffic from eth1 to eth0 if it's part of a related or
established connection (a connection is two ways!).

As an aside you may also want to SNAT the outbound connection from the
host which was DNAT'd so that when it instantiates (I dont know if this
will be the case) an outbound connection it appears to have the same
address as when it recieves connections.

iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT
--to-destination 192.168.0.10

This is what you have so......

iptables -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.10

Will re-write the outbound packets with the correct source address and
the connection should work.

I think it's your FORWARD rule that is missing , that's causing you the
problems though ;-)

Shaun

Reply to:

References:
- iptables natting
  - From: Graham Smith <graham@crazysquirrel.com>

Prev by Date: Help!
Next by Date: Re: CPU fans shut off by Debian?
Previous by thread: Re: iptables natting
Next by thread: Possible security exploit: debian-unstable
Index(es):
- Date
- Thread