From mboxrd@z Thu Jan 1 00:00:00 1970 From: ASC - Ronald Roeleveld Subject: Port forward Date: Tue, 4 Feb 2003 11:31:16 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2CC38.8C4D3460" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: "'netfilter@lists.netfilter.org'" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2CC38.8C4D3460 Content-Type: text/plain; charset="iso-8859-1" Hi all, Iam trying to set up a port forward for several hours now, but I don't seem to get it working right. When I type the following command: iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25 I get this output: iptables: Invalid argument I did do iptables -X PREROUTING so the chain does exist. Can anyone please help me out.. What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6 Thanks in advance, Ronald Roeleveld System Administrator ASCINTERNATIONAL Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760 E-mail: r.roeleveld@ascinternational.nl , Website: http://www.ascinternational.nl ------_=_NextPart_001_01C2CC38.8C4D3460 Content-Type: text/html; charset="iso-8859-1"
Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6
 
Thanks in advance,

Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl, Website: http://www.ascinternational.nl

 
------_=_NextPart_001_01C2CC38.8C4D3460-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eugene Joubert Subject: RE: Port forward Date: Tue, 4 Feb 2003 12:41:13 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2CC39.F0563960" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'ASC - Ronald Roeleveld' , "'netfilter@lists.netfilter.org'" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2CC39.F0563960 Content-Type: text/plain remember that you are using DNAT so you would have to specify the -t nat switch in your line. eg iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to 192.168.22.6:25 Hope this helps -----Original Message----- From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] Sent: 04 02 2003 12:31 PM To: 'netfilter@lists.netfilter.org' Subject: Port forward Hi all, Iam trying to set up a port forward for several hours now, but I don't seem to get it working right. When I type the following command: iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25 I get this output: iptables: Invalid argument I did do iptables -X PREROUTING so the chain does exist. Can anyone please help me out.. What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6 Thanks in advance, Ronald Roeleveld System Administrator ASCINTERNATIONAL Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760 E-mail: r.roeleveld@ascinternational.nl , Website: http://www.ascinternational.nl ------_=_NextPart_001_01C2CC39.F0563960 Content-Type: text/html Message
remember that you are using DNAT so you would have to specify the -t nat switch in your line.
 
eg
 
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to 192.168.22.6:25
 
Hope this helps
-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl]
Sent: 04 02 2003 12:31 PM
To: 'netfilter@lists.netfilter.org'
Subject: Port forward

Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6
 
Thanks in advance,

Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl, Website: http://www.ascinternational.nl

 
------_=_NextPart_001_01C2CC39.F0563960-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: ASC - Ronald Roeleveld Subject: RE: Port forward Date: Tue, 4 Feb 2003 11:56:42 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2CC3C.19AEB7E0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'Eric Leblond' Cc: "'netfilter@lists.netfilter.org'" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2CC3C.19AEB7E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks a lot the error message is gone now, after I changed the line to: iptables -t nat -A PREROUTING -p tcp --destination-port 25 -i eth0 -j = DNAT --to-destination 192.168.22.6:25 But when I do iptables --list I dont see any entrys in the chain for PREROUTING Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.32.6 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.32.6 anywhere udp dpt:ssh ACCEPT tcp -- 192.168.22.6 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.22.6 anywhere udp dpt:ssh ACCEPT tcp -- thamaster.xs4all.nl anywhere tcp dpt:ssh ACCEPT udp -- thamaster.xs4all.nl anywhere udp dpt:ssh ACCEPT tcp -- 192.168.22.0/24 anywhere tcp dpt:www ACCEPT udp -- 192.168.22.0/24 anywhere udp dpt:www ACCEPT tcp -- localnet/24 anywhere tcp dpt:www ACCEPT udp -- localnet/24 anywhere udp dpt:www ACCEPT all -- anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT all -- anywhere anywhere state ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU Chain PREROUTING (0 references) target prot opt source destination Regards, Ronald Roeleveld=20 System Administrator=20 ASCINTERNATIONAL=20 Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands=20 Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760 E-mail: r.roeleveld@ascinternational.nl , Website: http://www.ascinternational.nl =20 =20 =20 =20 -----Original Message----- From: Eric Leblond [ mailto:eleblond@init-sys.com ] Sent: dinsdag 4 februari 2003 11:49 To: ASC - Ronald Roeleveld Subject: Re: Port forward On Tue, 2003-02-04 at 11:31, ASC - Ronald Roeleveld wrote: > Hi all, >=20 > Iam trying to set up a port forward for several hours now, but I = don't > seem to get it working right. > When I type the following command: > iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT > --to-destination 192.168.22.6:25 you forget to specify that you work on the NAT table so add -t nat ou your line -- =C9ric Leblond courriel : eleblond@init-sys.com ------_=_NextPart_001_01C2CC3C.19AEB7E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Thanks a lot the error message is gone= =20 now,
after I changed the line to:
iptables -t nat -A PREROUTING -p tc= p=20 --destination-port 25 -i eth0 -j DNAT --to-destination=20 192.168.22.6:25

But when I do iptables --list
I dont see any entr= ys in=20 the chain for PREROUTING

Chain INPUT (policy=20 ACCEPT)
target     prot opt=20 source           &nb= sp;  =20 destination
ACCEPT     tcp  -- =20 192.168.32.6        =20 anywhere           tcp=20 dpt:ssh
ACCEPT     udp  -- =20 192.168.32.6        =20 anywhere           udp=20 dpt:ssh
ACCEPT     tcp  -- =20 192.168.22.6        =20 anywhere           tcp=20 dpt:ssh
ACCEPT     udp  -- =20 192.168.22.6        =20 anywhere           udp=20 dpt:ssh
ACCEPT     tcp  -- =20 thamaster.xs4all.nl =20 anywhere           tcp=20 dpt:ssh
ACCEPT     udp  -- =20 thamaster.xs4all.nl =20 anywhere           udp=20 dpt:ssh
ACCEPT     tcp  -- =20 192.168.22.0/24     =20 anywhere           tcp=20 dpt:www
ACCEPT     udp  -- =20 192.168.22.0/24     =20 anywhere           udp=20 dpt:www
ACCEPT     tcp  -- =20 localnet/24         =20 anywhere           tcp=20 dpt:www
ACCEPT     udp  -- =20 localnet/24         =20 anywhere           udp=20 dpt:www
ACCEPT     all  -- =20 anywhere           &= nbsp;=20 anywhere
DROP       tcp  -- =20 anywhere           &= nbsp;=20 anywhere           tcp=20 flags:SYN,RST,ACK/SYN

Chain FORWARD (policy=20 ACCEPT)
target     prot opt=20 source           &nb= sp;  =20 destination
TCPMSS     tcp  -- =20 anywhere           &= nbsp;=20 anywhere           tcp=20 flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT    =20 all  -- =20 anywhere           &= nbsp;=20 anywhere           state = ESTABLISHED

Chain OUTPUT (policy=20 ACCEPT)
target     prot opt=20 source           &nb= sp;  =20 destination
TCPMSS     tcp  -- =20 anywhere           &= nbsp;=20 anywhere           tcp=20 flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS    =20 tcp  -- =20 anywhere           &= nbsp;=20 anywhere           tcp=20 flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain PREROUTING (0=20 references)
target     prot opt=20 source           &nb= sp;  =20 destination

Regards,

Ronald Roeleveld 
System Administrator&nbs= p;

ASCINTERNATIONAL
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands
Tel. +31 (0)70 3178400, Fax +31 (0)70= =20 3204760
E-mail: r.roeleveld@ascinternationa= l.nl,=20 Website: http://www.ascinternational.nl

 
 
 


-----Original Message-----
From: Eric Leblond [mailto:eleblond@init-sys.com]
= Sent:=20 dinsdag 4 februari 2003 11:49
To: ASC - Ronald Roeleveld
Subject: Re:= Port=20 forward


On Tue, 2003-02-04 at 11:31, ASC - Ronald Roeleveld=20 wrote:
> Hi all,

> Iam trying to set up a port fo= rward=20 for several hours now, but I don't
> seem to get it working right.>=20 When I type the following command:
> iptables -A PREROUTING -p tcp=20 --destination-port 25 -i eth0 -j DNAT
> --to-destination=20 192.168.22.6:25

you forget to specify that you work on the NAT table= so=20 add
-t nat
ou your line

--
=C9ric Leblond
courriel :=20 eleblond@init-sys.com

------_=_NextPart_001_01C2CC3C.19AEB7E0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Franck" Subject: RE : Port forward Date: Tue, 4 Feb 2003 12:17:14 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <000001c2cc3e$f9c04040$29a2a8c0@dev.gcf.fr> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org > Thanks a lot the error message is gone now, > after I changed the line to: > iptables -t nat -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25 > But when I do iptables --list > I dont see any entrys in the chain for PREROUTING You must specify that you want to list the content of the nat table.... iptables -t nat --list From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sven Schuster Subject: Re: Port forward Date: Tue, 04 Feb 2003 12:53:49 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3E3FA9CD.3030607@gmx.de> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org ASC - Ronald Roeleveld wrote: > Thanks a lot the error message is gone now, > after I changed the line to: > iptables -t nat -A PREROUTING -p tcp --destination-port 25 -i eth0 -j > DNAT --to-destination 192.168.22.6:25 > > But when I do iptables --list > I dont see any entrys in the chain for PREROUTING > You need to put in the "-t nat" here too to show the nat table: iptables -t nat --list Sven From mboxrd@z Thu Jan 1 00:00:00 1970 From: ASC - Ronald Roeleveld Subject: RE: Port forward Date: Tue, 4 Feb 2003 14:11:10 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2CC4E.E29CFDD0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'Eugene Joubert' Cc: "'netfilter@lists.netfilter.org'" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2CC4E.E29CFDD0 Content-Type: text/plain; charset="iso-8859-1" Thanks a lot everyone for the emails... I did iptables -t nat --list and it now gives me this output: DNAT tcp -- anywhere anywhere tcp dpt:smtp to:192.168.22.6:25 But when I tried to telnet from another machine to 192.168.22.5 port 25 (the ip of the netfilter firewall/router) it didn't work at all..Do there has to be a line somewhere that says it's allowed to forward these connections? Regards, Ronald. -----Original Message----- From: Eugene Joubert [mailto:eugenej@centratel.co.za] Sent: dinsdag 4 februari 2003 11:41 To: 'ASC - Ronald Roeleveld'; Subject: RE: Port forward remember that you are using DNAT so you would have to specify the -t nat switch in your line. eg iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to 192.168.22.6:25 Hope this helps -----Original Message----- From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] Sent: 04 02 2003 12:31 PM To: 'netfilter@lists.netfilter.org' Subject: Port forward Hi all, Iam trying to set up a port forward for several hours now, but I don't seem to get it working right. When I type the following command: iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25 I get this output: iptables: Invalid argument I did do iptables -X PREROUTING so the chain does exist. Can anyone please help me out.. What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6 Thanks in advance, Ronald Roeleveld System Administrator ASCINTERNATIONAL Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760 E-mail: r.roeleveld@ascinternational.nl , Website: http://www.ascinternational.nl ------_=_NextPart_001_01C2CC4E.E29CFDD0 Content-Type: text/html; charset="iso-8859-1" Message
Thanks a lot everyone for the emails...
I did iptables -t nat --list and it now gives me this output:
DNAT       tcp  --  anywhere             anywhere           tcp dpt:smtp to:192.168.22.6:25
But when I tried to telnet from another machine to 192.168.22.5 port 25 (the ip of the netfilter firewall/router) it didn't work at all..Do there has to be a line somewhere that says it's allowed to forward these connections?
 
Regards,
 
Ronald.
-----Original Message-----
From: Eugene Joubert [mailto:eugenej@centratel.co.za]
Sent: dinsdag 4 februari 2003 11:41
To: 'ASC - Ronald Roeleveld';       
Subject: RE: Port forward

remember that you are using DNAT so you would have to specify the -t nat switch in your line.
 
eg
 
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to 192.168.22.6:25
 
Hope this helps
-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl]
Sent: 04 02 2003 12:31 PM
To: 'netfilter@lists.netfilter.org'
Subject: Port forward

Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6
 
Thanks in advance,

Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl, Website: http://www.ascinternational.nl

 
------_=_NextPart_001_01C2CC4E.E29CFDD0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eugene Joubert Subject: RE: Port forward Date: Tue, 4 Feb 2003 15:20:39 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2CC50.35EBEFE0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'ASC - Ronald Roeleveld' , Eugene Joubert Cc: "'netfilter@lists.netfilter.org'" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2CC50.35EBEFE0 Content-Type: text/plain If you port forwarding happens from outside your linux box going inside your network you should telnet from an external address to your linux ip on port 25. Also with every PREROUTING entry you would have to have an entry in your FORWARD chain. This is if your FORWARD default policy is set to drop. If you have the default policy on your FORWARD chain set to ACCEPT then you DON'T have to specifically add it. eg iptables -A FORWARD -p tcp -i eth0 -o eth1 -s 0/0 --dport 25 -j ACCEPT Hope this helps PS: Remeber you have to come in from outside your network to test this rule -----Original Message----- From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] Sent: 04 02 2003 15:11 PM To: 'Eugene Joubert' Cc: 'netfilter@lists.netfilter.org' Subject: RE: Port forward Thanks a lot everyone for the emails... I did iptables -t nat --list and it now gives me this output: DNAT tcp -- anywhere anywhere tcp dpt:smtp to:192.168.22.6:25 But when I tried to telnet from another machine to 192.168.22.5 port 25 (the ip of the netfilter firewall/router) it didn't work at all..Do there has to be a line somewhere that says it's allowed to forward these connections? Regards, Ronald. -----Original Message----- From: Eugene Joubert [mailto:eugenej@centratel.co.za] Sent: dinsdag 4 februari 2003 11:41 To: 'ASC - Ronald Roeleveld'; Subject: RE: Port forward remember that you are using DNAT so you would have to specify the -t nat switch in your line. eg iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to 192.168.22.6:25 Hope this helps -----Original Message----- From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] Sent: 04 02 2003 12:31 PM To: 'netfilter@lists.netfilter.org' Subject: Port forward Hi all, Iam trying to set up a port forward for several hours now, but I don't seem to get it working right. When I type the following command: iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25 I get this output: iptables: Invalid argument I did do iptables -X PREROUTING so the chain does exist. Can anyone please help me out.. What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6 Thanks in advance, Ronald Roeleveld System Administrator ASCINTERNATIONAL Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760 E-mail: r.roeleveld@ascinternational.nl , Website: http://www.ascinternational.nl ------_=_NextPart_001_01C2CC50.35EBEFE0 Content-Type: text/html Message
If you port forwarding happens from outside your linux box going inside your network you should telnet from an external address to your linux ip on port 25. Also with every PREROUTING entry you would have to have an entry in your FORWARD chain. This is if your FORWARD default policy is set to drop. If you have the default policy on your FORWARD chain set to ACCEPT then you DON'T have to specifically add it.
 
eg iptables -A FORWARD -p tcp -i eth0 -o eth1 -s 0/0 --dport 25 -j ACCEPT
 
Hope this helps
 
PS: Remeber you have to come in from outside your network to test this rule
-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl]
Sent: 04 02 2003 15:11 PM
To: 'Eugene Joubert'
Cc: 'netfilter@lists.netfilter.org'
Subject: RE: Port forward

Thanks a lot everyone for the emails...
I did iptables -t nat --list and it now gives me this output:
DNAT       tcp  --  anywhere             anywhere           tcp dpt:smtp to:192.168.22.6:25
But when I tried to telnet from another machine to 192.168.22.5 port 25 (the ip of the netfilter firewall/router) it didn't work at all..Do there has to be a line somewhere that says it's allowed to forward these connections?
 
Regards,
 
Ronald.
-----Original Message-----
From: Eugene Joubert [mailto:eugenej@centratel.co.za]
Sent: dinsdag 4 februari 2003 11:41
To: 'ASC - Ronald Roeleveld';       
Subject: RE: Port forward

remember that you are using DNAT so you would have to specify the -t nat switch in your line.
 
eg
 
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to 192.168.22.6:25
 
Hope this helps
-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl]
Sent: 04 02 2003 12:31 PM
To: 'netfilter@lists.netfilter.org'
Subject: Port forward

Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT --to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed to another machine on the internal network 192.168.22.6
 
Thanks in advance,

Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl, Website: http://www.ascinternational.nl

 
------_=_NextPart_001_01C2CC50.35EBEFE0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick Maartense Subject: Re: Port forward Date: Tue, 04 Feb 2003 14:28:50 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3E3FC012.4EAA11E@patrick.at> References: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: ASC - Ronald Roeleveld Cc: 'Eugene Joubert' , "'netfilter@lists.netfilter.org'" do you have MASQERADE out aktive? for the mailserver the traffic seems to come from the internet , remeber that yout FW needs masquerading to be aktive and the gateway of your mailserver needs to be the firewall ASC - Ronald Roeleveld wrote: > Thanks a lot everyone for the emails...I did iptables -t nat --list > and it now gives me this output:DNAT tcp -- > anywhere anywhere tcp dpt:smtp > to:192.168.22.6:25But when I tried to telnet from another machine to > 192.168.22.5 port 25 (the ip of the netfilter firewall/router) it > didn't work at all..Do there has to be a line somewhere that says it's > allowed to forward these connections?Regards,Ronald. > > -----Original Message----- > From: Eugene Joubert [mailto:eugenej@centratel.co.za] > Sent: dinsdag 4 februari 2003 11:41 > To: 'ASC - Ronald Roeleveld'; > Subject: RE: Port forward > > remember that you are using DNAT so you would have to > specify the -t nat switch in your line.eg iptables -t nat -A > PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to > 192.168.22.6:25Hope this helps > > -----Original Message----- > From: ASC - Ronald Roeleveld > [mailto:r.roeleveld@ascinternational.nl] > Sent: 04 02 2003 12:31 PM > To: 'netfilter@lists.netfilter.org' > Subject: Port forward > > Hi all,Iam trying to set up a port forward for > several hours now, but I don't seem to get it > working right.When I type the following > command:iptables -A PREROUTING -p tcp > --destination-port 25 -i eth0 -j DNAT > --to-destination 192.168.22.6:25I get this > output:iptables: Invalid argumentI did do iptables > -X PREROUTING so the chain does exist.Can anyone > please help me out..What I want is that all > incoming connections on eth0 on port 25 are routed > to another machine on the internal network > 192.168.22.6Thanks in advance,Ronald Roeleveld > System Administrator > > ASCINTERNATIONAL > Vlietweg 17c, 2266 KA, Leidschendam, The > Netherlands > Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760 > E-mail: r.roeleveld@ascinternational.nl, Website: > http://www.ascinternational.nl > -- ------------------------------------------------------------- Computer Service B=FCro ENTER Patrick Maartense Tel: +43 2236 42761 am Steinfeld 19a FAX: +43 2236 893970 A-2344 Maria Enzersdorf Mobil: +43 664 4200656 e-mail: office@csbenter.at patrick@patrick.at http://www.csbenter.at ------------------------------------------------------------- From mboxrd@z Thu Jan 1 00:00:00 1970 From: saint Subject: RE: Port forward Date: 05 Feb 2003 00:31:15 +1100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1044365475.8127.6.camel@juna.cypherworld.org> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: ASC - Ronald Roeleveld , Netfilter Mailing List I don't know what your setup is but I myself explicitly FORWARD things to telnet: e.g: # Allow access to machines from the private LAN: iptables -A FORWARD -i INTERFACE_CONCERNED -o OUTPUT_INTERFACE -p tcp \ -s $LAN_MACHINES --sport $UN_PRIVILEGED_PORTS \ -d $DESTINATION_ADDRESS --dport 23 \ -m state --state NEW -j ACCEPT you get the hint. Any way why use telnet? I recommend secure shell (tcp port 22). Santos. Security is a blessing. From mboxrd@z Thu Jan 1 00:00:00 1970 From: ASC - Ronald Roeleveld Subject: RE: Port forward Date: Tue, 4 Feb 2003 14:43:42 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: 'saint' Cc: "'netfilter@lists.netfilter.org'" Why I used telnet was just for testing. I wanted to test to make sure that if I connected to port 25 with telnet to my firewall that it redirected me to the mail server. And as it seems it doesn't work, because I get an error that no connection can me estabslihed. And offcource for management purpose I use SSH..:) -----Original Message----- From: saint [mailto:nagajuna@optushome.com.au] Sent: dinsdag 4 februari 2003 14:31 To: ASC - Ronald Roeleveld; Netfilter Mailing List Subject: RE: Port forward I don't know what your setup is but I myself explicitly FORWARD things to telnet: e.g: # Allow access to machines from the private LAN: iptables -A FORWARD -i INTERFACE_CONCERNED -o OUTPUT_INTERFACE -p tcp \ -s $LAN_MACHINES --sport $UN_PRIVILEGED_PORTS \ -d $DESTINATION_ADDRESS --dport 23 \ -m state --state NEW -j ACCEPT you get the hint. Any way why use telnet? I recommend secure shell (tcp port 22). Santos. Security is a blessing. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Rimas" Subject: Port forward Date: Thu, 21 Aug 2003 14:38:37 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <008401c367e9$9eb77550$6e69690a@rimas> References: <12CC60849165134FB7DF8570B621F4D558B079@mailxserver.euler.com> <20030819105849.GA30971@andrev.homeip.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi folks, I have some strange problem with IP forwarding. Recently I did my work Firewall clean update (migrated from RedHat to Slackware kernel 2.4.21 with the same configuration like RedHat) and after this does not work forward of IP 47 (gre) and tcp 1723 (PPTP) to local network. The error messages you can see below: tcpdump -i eth0 | grep pptp tcpdump: listening on eth0 21:02:09.046791 client_Linux_box_server.3801 > server_Linux_box.pptp: S 2100045603:2100045603(0) win 64240 (DF) 21:02:09.047301 server_Linux_box.pptp > client_Linux_box_server.3801: S 3455313091:3455313091(0) ack 2100045604 win 64240 (DF) 21:02:09.096249 client_Linux_box_server.3801 > server_Linux_box.pptp: P 1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp] (DF) 21:02:09.096561 server_Linux_box.pptp > client_Linux_box_server.3801: P 1:157(156) ack 157 win 64084: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(2195) [|pptp] (DF) 21:02:09.144887 client_Linux_box_server.3801 > server_Linux_box.pptp: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(49152) CALL_SER_NUM(26411) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp] (DF) 21:02:09.146488 server_Linux_box.pptp > client_Linux_box_server.3801: P 157:189(32) ack 325 win 63916: pptp CTRL_MSGTYPE=OCRP CALL_ID(999) PEER_CALL_ID(49152) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(13277755) RECV_WIN(16384) PROC_DELAY(0) PHY_CHAN_ID(0) (DF) 21:02:11.489923 client_Linux_box_server.3801 > server_Linux_box.pptp: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(49152) CALL_SER_NUM(26411) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp] (DF) 21:02:11.490227 server_Linux_box.pptp > client_Linux_box_server.3801: . ack 325 win 63916 (DF) 21:02:11.569977 server_Linux_box.pptp > client_Linux_box_server.3801: P 157:189(32) ack 325 win 63916: pptp CTRL_MSGTYPE=OCRP CALL_ID(999) PEER_CALL_ID(49152) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(13277755) RECV_WIN(16384) PROC_DELAY(0) PHY_CHAN_ID(0) (DF) 21:02:11.618680 client_Linux_box_server.3801 > server_Linux_box.pptp: P 325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(999) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF) 21:02:11.788688 server_Linux_box.pptp > client_Linux_box_server.3801: . ack 349 win 63892 (DF) 21:02:48.756981 client_Linux_box_server.3801 > server_Linux_box.pptp: P 349:365(16) ack 189 win 64052: pptp CTRL_MSGTYPE=CCRQ CALL_ID(49152) (DF) 21:02:48.975669 server_Linux_box.pptp > client_Linux_box_server.3801: . ack 365 win 63876 (DF) 21:02:49.758111 client_Linux_box_server.3801 > server_Linux_box.pptp: P 365:381(16) ack 189 win 64052: pptp CTRL_MSGTYPE=StopCCRQ REASON(1) (DF) 21:02:49.758413 server_Linux_box.pptp > client_Linux_box_server.3801: P 189:205(16) ack 381 win 63860: pptp CTRL_MSGTYPE=StopCCRP RESULT_CODE(1) ERR_CODE(0) (DF) 21:02:49.798872 client_Linux_box_server.3801 > server_Linux_box.pptp: F 381:381(0) ack 205 win 64036 (DF) 21:02:49.799120 server_Linux_box.pptp > client_Linux_box_server.3801: F 205:205(0) ack 382 win 63860 (DF) 21:02:49.833800 client_Linux_box_server.3801 > server_Linux_box.pptp: . ack 206 win 64036 (DF) Any ideas? Thanks in advance Remus