Re: port forwarding problem. Probably easy if you know how.

To: Debian-user <debian-user@lists.debian.org>
Subject: Re: port forwarding problem. Probably easy if you know how.
From: George Borisov <george@dxsolutions.co.uk>
Date: Mon, 24 Apr 2006 13:11:56 +0100
Message-id: <[🔎] 444CC08C.4040208@dxsolutions.co.uk>
In-reply-to: <[🔎] 20060423132721.GA8753@topoi.pooq.com>
References: <[🔎] 20060423132721.GA8753@topoi.pooq.com>

hendrik@topoi.pooq.com wrote:
> 
> But it doesn't work.
> 
> Lines like
> 
> iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose
> iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose
> iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose
> iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose
> 
> have no effect at all (as checked by iptables --list)

You also need some "FORWARD" rules (don't know if you have them, on not).

E.g:

/sbin/iptables -A FORWARD -p tcp --dport 27012 -d 172.25.1.5 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --dport 27012 -d 172.25.1.5 -j ACCEPT


> I suspect there's probably a missing kernel module.  But which one?
> And where do I find it?  The docs for iptables way that it will attampt 
> to load any necessary modules, so I presume a simple modprobe isn't 
> enough.  Or else that it doesn't try hard enough.

This is a very useful example:

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER


Here is what I have in my script:

---

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Load some required (and a few optional) kernel modules
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_tables
fi
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack_ftp
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack_irc
fi
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $MODPROBE iptable_nat
fi
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_ftp
fi
if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_irc
fi

---


Hope this helps,

-- 
George Borisov

DXSolutions Ltd

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- port forwarding problem. Probably easy if you know how.
  - From: hendrik@topoi.pooq.com

Prev by Date: Qmail and checkpassword
Next by Date: Re: would someone shed me light on how to remove a debian pakcage?
Previous by thread: Re: port forwarding problem. Probably easy if you know how.
Next by thread: Re: port forwarding problem. Probably easy if you know how.
Index(es):
- Date
- Thread