Re: portfw on iptables 2.4 kernel problem.

[Joel Newkirk <netfilter@newkirk.us>]

On Thursday 12 December 2002 03:51 am, Rasmus Reinholdt Nielsen wrote:
> Hi
>
> I have the same problem here. Using kernel 2.4.19-pre9, where I just
> can't forward port 80. Port 8080 works for instace fine. I have also
> tried to redirect all requests on port 80 to port 8080, but without
> any luck. When connecting to port 80 the browser just hangs. I can see
> in the apache log on the webserver that it gets the request, so I
> think it is a problem of the packets not getting back through the
> firewall and to the browser.
>
> I just can't see what is wrong. I even tried the following rules to
> see it that would help, but it didn't
>
> iptables -A INPUT -j ACCEPT
> iptables -A FORWARD -j ACCEPT
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to
> <http_ip>:80
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> This is not my usual firewall script, but I can't think of a more open
> one :)

Just a few observations.  I assume eth1 is your internet connection, so 
you should probably be using:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Otherwise it will constantly be checking the IP of every interface and 
masquerading packets outbound on every interface.
and you also need (did you just not list it?)
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
for the MASQ target to work.

> Anybody knows of this might be a problem with the 2.4.19 kernels, I
> have a 2.4.18 firewall as well on which forwarding IS working, with
> the same ruleset.

Is this just DNAT that fails, or all forwarding?  And just to be sure, 
since you didn't say, are you testing it from outside the LAN, or from a 
local machine (or the firewall box itself)?

j