[lug] problems with port forwading to internal address

j davis davis_compz at hotmail.com
Sun Jun 2 15:31:10 MDT 2002 

by your rules below it looks as if you are taking request from eth1
(tyipically you priv_adds)going out eth0  and dnating to another private 
macine...is this your intent , are you monitoring outgoing request from your 
private lan? If you want to dnat request from the internet try this......

iptables -A PREROUTING -i eth0 -d x.x.x.x. -p tcp --dport 80 -j DNAT 
--to-destination X.x.x.x

iptables -A FORWARD -i eth0 -d x.x.x.x -p tcp --dort 80 -j ACCEPT
iptables -A FORWARD -o eth0 -s x.x.x.x -p tcp --dport 80 -m state 
ESTABLISHED,RELATED -j ACCEPT


this will dnat incoming from inet to anyaddresss forward rule allows it
through, do the same thing for 443 just change --dports

good luck,
jd

>From: Hugh Brown <hugh at vecna.com>
>Reply-To: lug at lug.boulder.co.us
>To: LUG <lug at lug.boulder.co.us>
>Subject: Re: [lug] problems with port forwading to internal address
>Date: 02 Jun 2002 08:17:01 -0400
>MIME-Version: 1.0
>Received: from [66.54.152.73] by hotmail.com (3.2) with ESMTP id 
>MHotMailBEC3585000804004315B42369849053D0; Sun, 02 Jun 2002 05:19:28 -0700
>Received: (qmail 13013 invoked by uid 0); 2 Jun 2002 12:19:13 -0000
>Received: from localhost (HELO community.tummy.com) 
>(?x+vQzDQ7x4RtYO3wmeerv6GqJSRoMYk6?@127.0.0.1)  by localhost with SMTP; 2 
>Jun 2002 12:19:06 -0000
>Received: (qmail 12851 invoked by alias); 2 Jun 2002 12:18:42 -0000
>Received: (qmail 12848 invoked by uid 0); 2 Jun 2002 12:18:42 -0000
>Received: from mail.peakpeak.com (HELO gash2.peakpeak.com) (207.174.178.17) 
>  by community.tummy.com with SMTP; 2 Jun 2002 12:18:37 -0000
>Received: from [192.168.3.16] 
>(0-1pool24-118.nas32.philadelphia1.pa.us.da.qwest.net [65.129.24.118])by 
>gash2.peakpeak.com (8.9.3/8.9.3) with ESMTP id GAA05279for 
><lug at lug.boulder.co.us>; Sun, 2 Jun 2002 06:18:38 -0600
>From lug-admin at lug.boulder.co.us Sun, 02 Jun 2002 05:20:11 -0700
>Return-Path: <alias-blug_dom-lug-owner at lug.boulder.co.us>
>Delivered-To: mailman-lists.lug.boulder.co.us-lug at lists.lug.boulder.co.us
>Delivered-To: alias-blug_dom-lug at lug.boulder.co.us
>In-Reply-To: <20020513135623.A10301 at aberdeen.fpcc.net>
>References: <20020513135623.A10301 at aberdeen.fpcc.net>
>X-Mailer: Ximian Evolution 1.0.3 (1.0.3-6)
>Message-Id: <1023020233.20699.7.camel at zonko>
>Sender: lug-admin at lug.boulder.co.us
>Errors-To: lug-admin at lug.boulder.co.us
>X-BeenThere: lug at lug.boulder.co.us
>X-Mailman-Version: 2.0.8
>Precedence: bulk
>List-Help: <mailto:lug-request at lug.boulder.co.us?subject=help>
>List-Post: <mailto:lug at lug.boulder.co.us>
>List-Subscribe: 
><http://lists.lug.boulder.co.us/mailman/listinfo/lug>,<mailto:lug-request at lug.boulder.co.us?subject=subscribe>
>List-Id: Boulder (Colorado) Linux Users Group -- General Mailing List 
><lug.lug.boulder.co.us>
>List-Unsubscribe: 
><http://lists.lug.boulder.co.us/mailman/listinfo/lug>,<mailto:lug-request at lug.boulder.co.us?subject=unsubscribe>
>List-Archive: <http://lists.lug.boulder.co.us/pipermail/lug/>
>
>On Mon, 2002-05-13 at 15:56, Calvin Dodge wrote:
> > I'm trying to set up port forwarding for a client. He wants web requests 
>to a specific IP address to be forwarded to an internal machine.
> >
> > I have the following script:
> >
> > /sbin/iptables -A FORWARD -p tcp --dport 80 -m state --state 
>NEW,ESTABLISHED,RELATED -j ACCEPT
> > /sbin/iptables -A PREROUTING -t nat -i eth1 -o eth0 -p tcp --dport 80 -j 
>DNAT --to 192.168.1.29:80
> > /sbin/iptables -A FORWARD -p tcp --dport 443 -m state --state 
>NEW,ESTABLISHED,RELATED -j ACCEPT
> > /sbin/iptables -A PREROUTING -t nat -i eth1 -o eth0 -p tcp --dport 443 
>-j DNAT --to 192.168.1.29:443
> >
> > If I understand correctly, the above lines _should_ forward port 80 and 
>443 requests to 192.168.1.29, but they don't.
> > IP forwarding is enabled on this system (and it functions quite nicely 
>as the typical IP masquerader).
> > I've tried different permutations of the above lines, but nothing I do 
>seems to work (the internal site does work, BTW).
> >
> > Is there something I'm missing here?
> >
> > FWIW, this system runs Red Hat 7.2 with up-to-date patches.
> >
> > Calvin
>
>
>
>I didn't see an answer to this (which means I may have deleted it), but
>I did see this rule on the web as I was looking for something else.  I
>haven't actually tried it but it might be worth something.
>
>iptables -t nat -A PREROUTING -i eth0 -p tcp  --dport 80 -j DNAT --to
>192.168.1.29:80
>
>FWIW,
>
>Hugh
>
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

More information about the LUG mailing list