[H-GEN] iptables and port forwarding

R&J Stuart rjstuart at bigpond.net.au
Thu May 22 11:01:23 EDT 2003


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Johann wrote:

> so after reading the netfilter howto and surfing the net for examples I 
> chose the following iptables rule 
> iptables -A PREROUTING -t nat -i eth1 -d 192.168.105.201 -p tcp --dport 
> 22 -j DNAT --to 10.0.0.200:22

> I also tried
> 
> iptables -A PREROUTING -t nat -i eth1 -d 192.168.105.201 -j DNAT --to 
> 10.0.0.200
> 
> to see if I could port forward everything, and that also fails to work

You will also need to put a rule in your FORWARD chain to accept the packets 
  IF your policy in your forward chain is to deny packets.  I'm a little 
confused about this because you said your INPUT and OUTPUT chain policy's 
were accept.  What policy does the forward chain have?  You thought that the 
logging indicated a dropped packet, this is not the case, logging does not 
drop the packet, just logs.  Create a rule for logging and dropping if you 
want to do that eg:

$IPTAB -A logdrop -j LOG --log-prefix "Drop pkt: " --log-level notice
$IPTAB -A logdrop -j DROP

May 22 12:08:30 lnxsrv kernel: OUTPUT_DROP: IN= OUT=eth0 SRC=10.0.0.201 
DST=10.0.0.200 LEN=132 TOS=0x10 PREC=0x00 TTL=64 ID=46811 DF PROTO=TCP 
SPT=22 DPT=1034 WINDOW=9648 RES=0x00 ACK PSH URGP=0
May 22 12:08:30 lnxsrv kernel: INPUT_DROP: IN=eth0 OUT= 
MAC=00:40:f4:64:30:75:00:00:e8:d5:69:cb:08:00 SRC=10.0.0.200 DST=10.0.0.201 
LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=28542 DF PROTO=TCP SPT=1034 DPT=22 
WINDOW=15008 RES=0x00 ACK URGP=0

These packets logged indicated that traffic was going OK - note the absence 
of the SYN flag (only ACK and PSH) meaning these connections were normal 
traffic.  I'm thinking that you had an ssh session between 10.0.0.201 and 200.

These are the rules I have for forwarding a port when hosting games on an 
internal machine with someone on the net:
$IPTAB -A FORWARD -i $Pub -o $Priv -p udp --dport $GAMEPORT -j ACCEPT
$IPTAB -t nat -A PREROUTING -i $Pub -p udp --dport $GAMEPORT -j DNAT --to 
$INTERNAL_GAME_SERVER

$Pub and $Priv are my public (internet) and private (internal) interfaces 
respectively.

Other bits:
Machine A should NOT have a route to anything via 192.168.105.201 - 
otherwise you wouldn't have to use DNAT.  On the other hand C must be able 
to talk to A before you start DNATing (so get the SNAT/MASQ working first).

Hope that helps.

Robert


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list