Re: Port forwarding doesn't work.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Herman <Herman@AerospaceSoftware.com>
To: Chris Brenton <cbrenton@chrisbrenton.org>, netfilter@lists.netfilter.org
Subject: Re: Port forwarding doesn't work.
Date: Sun, 12 Oct 2003 19:17:08 -0600	[thread overview]
Message-ID: <200310121917.08663.Herman@AerospaceSoftware.com> (raw)
In-Reply-To: <1066005882.1151.23.camel@valhalla>

On Sunday 12 October 2003 6:44 pm, Chris Brenton wrote:

   > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

   Hummm. You do realize you are letting through *everything* you are not
   specifically dropping? Looks like you've had quite a bit of traffic
   sneak by. :(

Yep, I opened it up in an effort to figure out what is going on - or rather 
not going on, the really bad stuff is blocked in the INPUT chain and the 
INPUT chain is letting the packets through, since I can play xmms on the 
firewall itself, so the packets get in, but not out the other side.

   > How can the FORWARD chain be empty, since MASQUERADE is working and my
   > laptop can surf the web?

   Because you are letting everything not specifically denied blow through.
OK - it seems that port forwarding uses the nat table - eventually I'll 
understand this I hope...

I I understand it, masquerading also uses the nat table and that is working, 
so why doesn't port forwarding work for port 8002?

Here is the rule:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8002 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8002 -j DNAT --to 
192.168.10.245:8002

on the command line it looks like this:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 8002 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8002 -j DNAT --to 
192.168.10.245:8002

and it does diddly squat...

   > Why are my new forwarding rules ignored?

   Again, try stuff like this from the command line. If iptables is not
   happy, it will let you know about it.

Tried it with various versions of iptables.  1.2.7a and1.2.9rc1 give either 
Invalid Argument or Target Problem as explained in previous posts.  Iptables 
1.2.5 doesn't give any error messages - I downgraded, since upgrading didn't 
make any diff, so now it doesn't tell me anything although the problem is 
still the same.

It is as if the rules are simply ignored even when I copy and paste examples 
from the howtos or other posts.

   > How can I debug this stuff and see where the packets are going/not
   > going? Can anybody shed light on this?

   The counters are a good indication of what is going on. You can also run
   tcpdump to troubleshoot what goes by.

Trying that now - very trying...

I guess that eventually, I'll understand iptables, but it is going to take a 
while to get there.

Oh, well, what the hell - Catch 22.
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

next prev parent reply	other threads:[~2003-10-13  1:17 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-12  7:41 Invalid friggen argument Herman
2003-10-12 11:08 ` Willy TARREAU
2003-10-12 15:46   ` Herman
2003-10-12 17:44 ` Mark E. Donaldson
2003-10-12 18:18   ` Herman
2003-10-12 20:11     ` Port forwarding doesn't work Herman
2003-10-12 21:41       ` Gerd Zemella
2003-10-12 22:04         ` Herman
2003-10-12 23:00           ` Herman
2003-10-13  0:10             ` Philip Craig
2003-10-13  0:20               ` Herman
2003-10-13  0:40                 ` Herman
2003-10-13  1:17                   ` Arnt Karlsen
2003-10-13 13:06                     ` Robert P. J. Day
2003-10-13 19:11                       ` Arnt Karlsen
2003-10-13 18:05                     ` Herman
2003-10-13 19:31                       ` Jeffrey Laramie
2003-10-13 20:00                       ` Jeffrey Laramie
2003-10-13 20:09                       ` Arnt Karlsen
2003-10-13 20:47                         ` Herman
2003-10-13  0:44             ` Chris Brenton
2003-10-13  1:17               ` Herman [this message]
2003-10-13  1:30                 ` Herman
2003-10-13  1:52                   ` Port forwarding now *almost* works Herman
2003-10-13  7:13           ` Port forwarding doesn't work Gerd Zemella
2003-10-13 14:32             ` Adam D. Barratt
2003-10-13 15:02               ` Gerd Zemella
2003-10-14  6:04 ` Invalid friggen argument Joel Newkirk
2003-10-14 13:14   ` Herman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200310121917.08663.Herman@AerospaceSoftware.com \
    --to=herman@aerospacesoftware.com \
    --cc=cbrenton@chrisbrenton.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.