From: Wilson Mak <wilson.mak@digitalview.com>
To: Nick Drage <nickd@metastasis.demon.co.uk>
Cc: netfilter@lists.netfilter.org
Subject: Re: Port Forwarding with iptables
Date: Fri, 20 Aug 2004 18:06:38 +0800 [thread overview]
Message-ID: <4125CD2E.7000108@digitalview.com> (raw)
In-Reply-To: 20040819112216.GN29471@metastasis.org.uk
Nick Drage wrote:
>On Thu, Aug 19, 2004 at 06:57:59PM +0800, Wilson Mak wrote:
>
>
>>Hi all,
>>
>>I like to do the portforwarding with iptables(forward web traffic of an
>>alias IP - <ext ip> to internal web server). Here is what I have:
>>
>>iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
>>DNAT --to 10.1.0.12:80
>>iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
>>--state NEW -j ACCEPT
>>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
>>state --state NEW -j ACCEPT
>>
>>However, it keep droping the packets when getting to the NAT box.
>>
>>Logs
>>====
>>(With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>>
>>kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
>>TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
>>WINDOW=64240 RES=0x00 SYN URGP=0
>>
>>Any clues? Did I miss something here?
>>
>>
>
>( caveat, this is a quick email during a lunch break at work, so it's
>all "best guess" )
>
>The rules in the PREROUTING table are executed before those in the
>FORWARD table, so the packet has a destination of 10.1.0.12 when it hits
>the FORWARD table. So your third line should be
>
>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
>state --state NEW -j ACCEPT
>
>Let me know how you get on :)
>
>
>
>
Thanks for all who help on this issue. I mis-type the rule here. Yes
you guys are right, the rule should be: -d 10.1.0.12. But still it
doesn't work. Do I need to enable something in the kernel when using
Port-Forwarding?
Here are what I have now
===================
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d <ext ip - an alias ip> -p tcp
--dport 80 -j DNAT --to 10.1.0.12:80
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Many thanks,
Wilson
next prev parent reply other threads:[~2004-08-20 10:06 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-19 10:57 Port Forwarding with iptables Wilson Mak
2004-08-19 11:15 ` George Alexandru Dragoi
2004-08-19 11:22 ` Nick Drage
2004-08-20 10:06 ` Wilson Mak [this message]
2004-08-20 10:15 ` Nick Drage
2004-08-23 3:04 ` Wilson Mak
2004-08-19 16:39 ` Alejandro Flores
-- strict thread matches above, loose matches on Subject: below --
2004-08-19 11:13 Jason Opperisano
2004-09-01 15:47 Port forwarding " KUCKAERTZ Régis - NVISION
2004-09-02 7:24 Martijn Lievaart
[not found] <200409020414.i824Eh7e032212@xanadu.marasystems.com>
2004-09-02 8:28 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4125CD2E.7000108@digitalview.com \
--to=wilson.mak@digitalview.com \
--cc=netfilter@lists.netfilter.org \
--cc=nickd@metastasis.demon.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.