* Forwarding problem, :( port redirection!
@ 2003-02-24 8:12 louie miranda
2003-02-24 8:25 ` Rasmus Bøg Hansen
0 siblings, 1 reply; 7+ messages in thread
From: louie miranda @ 2003-02-24 8:12 UTC (permalink / raw)
To: netfilter
Im trying just to forward simple ftp, 21 request into my internal machine.
Im typing this but it does not work..
any ideas?
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.0.0.11 --dport 21 -j
DNAT --to 203.190.72.108:21
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 203.190.72.108 --dport 21 -j
ACCEPT
eth0: Internet
eth1: LAN
Doc: http://www.knowplace.org/netfilter/syntax.html#conf6
================================
Destination NAT the packets (changes the destination IP address in the IP
header and port number in the TCP/UDP header)
iptables -t nat -A PREROUTING -i eth0 -p protocol -d
ip_address_of_eth0 --dport original_port_number -j DNAT --to
destination_ip_address:destination_port_number
Forward the natted packets (allow the natted packet to be forwarded)
iptables -A FORWARD -i eth0 -o eth1 -p protocol -d
destination_ip_address --dport destination_port_number -j ACCEPT
================================
--
thanks,
louie miranda
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Forwarding problem, :( port redirection!
2003-02-24 8:12 Forwarding problem, :( port redirection! louie miranda
@ 2003-02-24 8:25 ` Rasmus Bøg Hansen
2003-02-24 8:32 ` louie miranda
0 siblings, 1 reply; 7+ messages in thread
From: Rasmus Bøg Hansen @ 2003-02-24 8:25 UTC (permalink / raw)
To: louie miranda; +Cc: netfilter
On Mon, 24 Feb 2003, louie miranda wrote:
> Im trying just to forward simple ftp, 21 request into my internal machine.
> Im typing this but it does not work..
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.0.0.11 --dport 21 -j
> DNAT --to 203.190.72.108:21
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 203.190.72.108 --dport 21 -j
> ACCEPT
Are you *sure* of those IP's? 10.0.0.11 is a private IP and is unusable
on the internet - however your rules state that 10.0.0.11 is located on
the internet. I'm pretty sure, you need to exchange the global and local
IP.
/Rasmus
--
-- [ Rasmus "Møffe" Bøg Hansen ] ---------------------------------------
Drink wet cement: Get Stoned.
----------------------------------[ moffe at amagerkollegiet dot dk ] --
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Forwarding problem, :( port redirection!
2003-02-24 8:25 ` Rasmus Bøg Hansen
@ 2003-02-24 8:32 ` louie miranda
2003-02-24 8:57 ` Rasmus Bøg Hansen
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: louie miranda @ 2003-02-24 8:32 UTC (permalink / raw)
To: netfilter; +Cc: Rasmus Bøg Hansen
panic:/# iptables -t nat -A PREROUTING -i eth0 -p tcp -d
203.190.72.108 --dport 21 -j DNAT --to 10.0.0.11:21
panic:/# iptables -A FORWARD -i eth0 -o eth1 -p tcp -d
203.190.72.108 --dport 21 -j ACCEPT
panic:/# telnet 203.190.72.108 21
Trying 203.190.72.108...
telnet: Unable to connect to remote host: Connection refused
panic:/# telnet 10.0.0.11 21
Trying 10.0.0.11...
Connected to 10.0.0.11.
Escape character is '^]'.
220 Dynu FTP Server (Version 1.13)
^]
telnet> q
Connection closed.
panic:/# telnet 203.190.72.108 21
Trying 203.190.72.108...
telnet: Unable to connect to remote host: Connection refused
panic:/#
Still no success! :(
--
thanks,
louie miranda
----- Original Message -----
From: "Rasmus Bøg Hansen" <moffelist@amagerkollegiet.dk>
To: "louie miranda" <lmiranda@chikka.com>
Cc: <netfilter@lists.samba.org>
Sent: Monday, February 24, 2003 4:25 PM
Subject: Re: Forwarding problem, :( port redirection!
On Mon, 24 Feb 2003, louie miranda wrote:
> Im trying just to forward simple ftp, 21 request into my internal machine.
> Im typing this but it does not work..
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.0.0.11 --dport 21 -j
> DNAT --to 203.190.72.108:21
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 203.190.72.108 --dport 21 -j
> ACCEPT
Are you *sure* of those IP's? 10.0.0.11 is a private IP and is unusable
on the internet - however your rules state that 10.0.0.11 is located on
the internet. I'm pretty sure, you need to exchange the global and local
IP.
/Rasmus
--
-- [ Rasmus "Møffe" Bøg Hansen ] ---------------------------------------
Drink wet cement: Get Stoned.
----------------------------------[ moffe at amagerkollegiet dot dk ] --
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Forwarding problem, :( port redirection!
2003-02-24 8:32 ` louie miranda
@ 2003-02-24 8:57 ` Rasmus Bøg Hansen
2003-02-24 10:21 ` Rob Sterenborg
2003-02-24 13:23 ` John Davey
2 siblings, 0 replies; 7+ messages in thread
From: Rasmus Bøg Hansen @ 2003-02-24 8:57 UTC (permalink / raw)
To: louie miranda; +Cc: netfilter
On Mon, 24 Feb 2003, louie miranda wrote:
> panic:/# iptables -t nat -A PREROUTING -i eth0 -p tcp -d
> 203.190.72.108 --dport 21 -j DNAT --to 10.0.0.11:21
> panic:/# iptables -A FORWARD -i eth0 -o eth1 -p tcp -d
> 203.190.72.108 --dport 21 -j ACCEPT
> panic:/# telnet 203.190.72.108 21
> Trying 203.190.72.108...
> telnet: Unable to connect to remote host: Connection refused
> panic:/# telnet 10.0.0.11 21
> Trying 10.0.0.11...
> Connected to 10.0.0.11.
> Escape character is '^]'.
> 220 Dynu FTP Server (Version 1.13)
> ^]
> telnet> q
> Connection closed.
> panic:/# telnet 203.190.72.108 21
> Trying 203.190.72.108...
> telnet: Unable to connect to remote host: Connection refused
> panic:/#
Why do you want to use the WAN IP from your LAN when you could contact
the LAN IP directly?
What you have to do is:
1) Forward traffic from internal hosts.
2) NAT local->local traffic (This is explained somewhere in the
netfilter docs)
The above rules only forwards traffic from the internet.
/Rasmus
--
-- [ Rasmus "Møffe" Bøg Hansen ] ---------------------------------------
Programming is a race between programmers, who try and make more and
more idiot-proof software, and universe, which produces more and more
remarkable idiots.
Until now, universe leads the race.
- R. Cooka
----------------------------------[ moffe at amagerkollegiet dot dk ] --
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Forwarding problem, :( port redirection!
2003-02-24 8:32 ` louie miranda
2003-02-24 8:57 ` Rasmus Bøg Hansen
@ 2003-02-24 10:21 ` Rob Sterenborg
2003-02-24 13:23 ` John Davey
2 siblings, 0 replies; 7+ messages in thread
From: Rob Sterenborg @ 2003-02-24 10:21 UTC (permalink / raw)
To: netfilter
> panic:/# iptables -t nat -A PREROUTING -i eth0 -p tcp -d
> 203.190.72.108 --dport 21 -j DNAT --to 10.0.0.11:21
> panic:/# iptables -A FORWARD -i eth0 -o eth1 -p tcp -d
> 203.190.72.108 --dport 21 -j ACCEPT
> panic:/# telnet 203.190.72.108 21
> Trying 203.190.72.108...
> telnet: Unable to connect to remote host: Connection refused
> panic:/# telnet 10.0.0.11 21
> Trying 10.0.0.11...
> Connected to 10.0.0.11.
> Escape character is '^]'.
> 220 Dynu FTP Server (Version 1.13)
> ^]
> telnet> q
> Connection closed.
> panic:/# telnet 203.190.72.108 21
> Trying 203.190.72.108...
> telnet: Unable to connect to remote host: Connection refused
> panic:/#
Did you load ip_conntrack_ftp and ip_nat_ftp ?
And do you use :
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Gr,
Rob
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Forwarding problem, :( port redirection!
2003-02-24 8:32 ` louie miranda
2003-02-24 8:57 ` Rasmus Bøg Hansen
2003-02-24 10:21 ` Rob Sterenborg
@ 2003-02-24 13:23 ` John Davey
2003-02-26 10:02 ` louie miranda
2 siblings, 1 reply; 7+ messages in thread
From: John Davey @ 2003-02-24 13:23 UTC (permalink / raw)
To: louie miranda, netfilter; +Cc: Rasmus Bøg Hansen
Your FORWARD rule is still wrong. It's already been DNAT'd so forward it
to the IP thats on the box..ie 10.0.0.11
panic:/# iptables -A FORWARD -i eth0 -o eth1 -p tcp -d \
10.0.0.11 --dport 21 -j ACCEPT
Also your firewall is on panic so NONE of the rules you have listed are even
used. When you telnet from panic to 10.0.0.11.
http://www.netfilter.org/documentation/index.html#HOWTO
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of louie miranda
Sent: Monday, 24 February 2003 7:02 PM
To: netfilter@lists.samba.org
Cc: Rasmus Bøg Hansen
Subject: Re: Forwarding problem, :( port redirection!
panic:/# iptables -t nat -A PREROUTING -i eth0 -p tcp -d
203.190.72.108 --dport 21 -j DNAT --to 10.0.0.11:21
panic:/# iptables -A FORWARD -i eth0 -o eth1 -p tcp -d
203.190.72.108 --dport 21 -j ACCEPT
panic:/# telnet 203.190.72.108 21
Trying 203.190.72.108...
telnet: Unable to connect to remote host: Connection refused
panic:/# telnet 10.0.0.11 21
Trying 10.0.0.11...
Connected to 10.0.0.11.
Escape character is '^]'.
220 Dynu FTP Server (Version 1.13)
^]
telnet> q
Connection closed.
panic:/# telnet 203.190.72.108 21
Trying 203.190.72.108...
telnet: Unable to connect to remote host: Connection refused
panic:/#
Still no success! :(
--
thanks,
louie miranda
----- Original Message -----
From: "Rasmus Bøg Hansen" <moffelist@amagerkollegiet.dk>
To: "louie miranda" <lmiranda@chikka.com>
Cc: <netfilter@lists.samba.org>
Sent: Monday, February 24, 2003 4:25 PM
Subject: Re: Forwarding problem, :( port redirection!
On Mon, 24 Feb 2003, louie miranda wrote:
> Im trying just to forward simple ftp, 21 request into my internal machine.
> Im typing this but it does not work..
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.0.0.11 --dport 21 -j
> DNAT --to 203.190.72.108:21
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 203.190.72.108 --dport 21 -j
> ACCEPT
Are you *sure* of those IP's? 10.0.0.11 is a private IP and is unusable
on the internet - however your rules state that 10.0.0.11 is located on
the internet. I'm pretty sure, you need to exchange the global and local
IP.
/Rasmus
--
-- [ Rasmus "Møffe" Bøg Hansen ] ---------------------------------------
Drink wet cement: Get Stoned.
----------------------------------[ moffe at amagerkollegiet dot dk ] --
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Forwarding problem, :( port redirection!
2003-02-24 13:23 ` John Davey
@ 2003-02-26 10:02 ` louie miranda
0 siblings, 0 replies; 7+ messages in thread
From: louie miranda @ 2003-02-26 10:02 UTC (permalink / raw)
To: John Davey, netfilter
Still not working..
Does anyone have a step by step howto on this?
--
thanks,
louie miranda
----- Original Message -----
From: "John Davey" <list@davey.net.au>
To: "louie miranda" <lmiranda@chikka.com>; <netfilter@lists.samba.org>
Cc: "Rasmus Bøg Hansen" <moffelist@amagerkollegiet.dk>
Sent: Monday, February 24, 2003 9:23 PM
Subject: RE: Forwarding problem, :( port redirection!
> Your FORWARD rule is still wrong. It's already been DNAT'd so forward it
> to the IP thats on the box..ie 10.0.0.11
>
> panic:/# iptables -A FORWARD -i eth0 -o eth1 -p tcp -d \
> 10.0.0.11 --dport 21 -j ACCEPT
>
> Also your firewall is on panic so NONE of the rules you have listed are
even
> used. When you telnet from panic to 10.0.0.11.
>
> http://www.netfilter.org/documentation/index.html#HOWTO
>
>
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of louie miranda
> Sent: Monday, 24 February 2003 7:02 PM
> To: netfilter@lists.samba.org
> Cc: Rasmus Bøg Hansen
> Subject: Re: Forwarding problem, :( port redirection!
>
>
> panic:/# iptables -t nat -A PREROUTING -i eth0 -p tcp -d
> 203.190.72.108 --dport 21 -j DNAT --to 10.0.0.11:21
> panic:/# iptables -A FORWARD -i eth0 -o eth1 -p tcp -d
> 203.190.72.108 --dport 21 -j ACCEPT
> panic:/# telnet 203.190.72.108 21
> Trying 203.190.72.108...
> telnet: Unable to connect to remote host: Connection refused
> panic:/# telnet 10.0.0.11 21
> Trying 10.0.0.11...
> Connected to 10.0.0.11.
> Escape character is '^]'.
> 220 Dynu FTP Server (Version 1.13)
> ^]
> telnet> q
> Connection closed.
> panic:/# telnet 203.190.72.108 21
> Trying 203.190.72.108...
> telnet: Unable to connect to remote host: Connection refused
> panic:/#
>
> Still no success! :(
>
>
>
> --
> thanks,
> louie miranda
>
>
> ----- Original Message -----
> From: "Rasmus Bøg Hansen" <moffelist@amagerkollegiet.dk>
> To: "louie miranda" <lmiranda@chikka.com>
> Cc: <netfilter@lists.samba.org>
> Sent: Monday, February 24, 2003 4:25 PM
> Subject: Re: Forwarding problem, :( port redirection!
>
>
> On Mon, 24 Feb 2003, louie miranda wrote:
>
> > Im trying just to forward simple ftp, 21 request into my internal
machine.
> > Im typing this but it does not work..
>
> > iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.0.0.11 --dport 21 -j
> > DNAT --to 203.190.72.108:21
> > iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 203.190.72.108 --dport
21 -j
> > ACCEPT
>
> Are you *sure* of those IP's? 10.0.0.11 is a private IP and is unusable
> on the internet - however your rules state that 10.0.0.11 is located on
> the internet. I'm pretty sure, you need to exchange the global and local
> IP.
>
> /Rasmus
>
> --
> -- [ Rasmus "Møffe" Bøg Hansen ] ---------------------------------------
> Drink wet cement: Get Stoned.
> ----------------------------------[ moffe at amagerkollegiet dot dk ] --
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-02-26 10:02 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-24 8:12 Forwarding problem, :( port redirection! louie miranda
2003-02-24 8:25 ` Rasmus Bøg Hansen
2003-02-24 8:32 ` louie miranda
2003-02-24 8:57 ` Rasmus Bøg Hansen
2003-02-24 10:21 ` Rob Sterenborg
2003-02-24 13:23 ` John Davey
2003-02-26 10:02 ` louie miranda
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.