* Port forwarding - again ! :)
@ 2006-03-02 12:21 Stian B. Barmen
2006-03-02 15:38 ` Chinh Nguyen
0 siblings, 1 reply; 2+ messages in thread
From: Stian B. Barmen @ 2006-03-02 12:21 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1419 bytes --]
I am wondering how to enable port forwarding from a DMZ to an internal
network. The machine forwarding is just a normal Linux machine, no firewall in
the DMZ, and I want it to forward one port to an internal machine on the
intenal network.
How to forward 1 port from a machine in dmz-network to internal network!
<internet>
|
<firewall>
|
<router> - <dmz network>
|
<internal network>
Here is my ipables:
# Generated by iptables-save v1.3.4 on Tue Feb 28 14:24:10 2006
*nat
:PREROUTING ACCEPT [1014:84065]
:POSTROUTING ACCEPT [1243:92537]
:OUTPUT ACCEPT [1237:92240]
-A PREROUTING -d 217.20.20.160 -i eth0 -p tcp -m tcp --dport 81 -j
DNAT --to-destination 10.22.0.79:8081
COMMIT
# Completed on Tue Feb 28 14:24:10 2006
# Generated by iptables-save v1.3.4 on Tue Feb 28 14:24:10 2006
*filter
:INPUT ACCEPT [124031010:45151447581]
:FORWARD ACCEPT [12:576]
:OUTPUT ACCEPT [155888838:182283994852]
COMMIT
# Completed on Tue Feb 28 14:24:10 2006
I just used the command:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 217.20.20.160 --dport 81 -j
DNAT --to 10.22.0.79:8081
# cat /proc/sys/net/ipv4/ip_forward
1
Also I enabled ip_forward.
But when I try to connect to 217.20.20.160:81 it just times out waiting for an
answer. Do I need more in this minimalistic setup to make it work?
Note, the ip addresses are bogus, but representative. (the 217 is public ip
and the 10 is private)
Best regards
Stian B. Barmen
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 4490 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Port forwarding - again ! :)
2006-03-02 12:21 Port forwarding - again ! :) Stian B. Barmen
@ 2006-03-02 15:38 ` Chinh Nguyen
0 siblings, 0 replies; 2+ messages in thread
From: Chinh Nguyen @ 2006-03-02 15:38 UTC (permalink / raw)
To: netfilter
Stian B. Barmen wrote:
> I am wondering how to enable port forwarding from a DMZ to an internal
> network. The machine forwarding is just a normal Linux machine, no firewall in
> the DMZ, and I want it to forward one port to an internal machine on the
> intenal network.
>
> How to forward 1 port from a machine in dmz-network to internal network!
>
> <internet>
> |
> <firewall>
> |
> <router> - <dmz network>
> |
> <internal network>
> I just used the command:
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 217.20.20.160 --dport 81 -j
> DNAT --to 10.22.0.79:8081
>
> # cat /proc/sys/net/ipv4/ip_forward
> 1
>
> Also I enabled ip_forward.
>
> But when I try to connect to 217.20.20.160:81 it just times out waiting for an
> answer. Do I need more in this minimalistic setup to make it work?
>
> Note, the ip addresses are bogus, but representative. (the 217 is public ip
> and the 10 is private)
My guess would be you also need a MASQUERADE rule on the POSTROUTING chain of
nat table. Without it, you have a connection from machine X to 217.20.20.160,
but you have get a reply from 10.22.0.79!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-03-02 15:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-02 12:21 Port forwarding - again ! :) Stian B. Barmen
2006-03-02 15:38 ` Chinh Nguyen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.