Port forwarding

Port forwarding

[Błażej Ślusarek]

Hello, could anyone help me to enable port forwarding on a server
which default policies are PREROUTING DROP and FORWARD DROP? I'm
actually asking for a correct set of instructions.

Thanks.

Re: Port forwarding

[Elvir Kuric]

Hi Blazej,

take a look in : http://iptables-tutorial.frozentux.net/iptables-tutorial.html

it is super place for reference,

Nice regards,

Elvir Kuric

On Sat, Dec 13, 2008 at 12:33 AM, B³a¿ej ¦lusarek <beju@beju.xon.pl> wrote:
> Hello, could anyone help me to enable port forwarding on a server
> which default policies are PREROUTING DROP and FORWARD DROP? I'm
> actually asking for a correct set of instructions.
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Port forwarding

[Błażej Ślusarek]

Does really nobody know how to do port forwarding?

Re: Port forwarding

[Ivan Petrushev]

I think lots of people know how to forward ports.
Default policy doesn't concern you - it is DEFAULT. Once you add rules
that match the desired packets these rules do something and it is not
the default chain action.
Here is example port forwarding:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 27015 -j
DNAT --to-destination 192.168.0.34
iptables -t nat -A PREROUTING -p udp -d 192.168.1.2 --dport 27015 -j
DNAT --to-destination 192.168.0.34
And if your default FORWARD policy is DROP, then you should change it
to ACCEPT for the matched by the upper rules packets:
iptables -I FORWARD -d 192.168.1.2 -j ACCEPT

conntrack counters on a bridge

[Gilad Benjamini]

I have iptables running on a bridge. The bridge has three interfaces

I am trying to understand what happens with flooded packets.
Below are my conclusions. I would appreciate comments and corrections. If
someone has a relevant link, that's even better.

- Flooding is done by the bridge code, and therefore flooded packets are
seen twice in the FORWARD chain
- Conntrack counters are updated in PRE_ROUTING, and therefore 
   - The connection counters are correct (not duplicate)
   - Counters are also updated for packets which are eventually dropped
- Conntrack confirms connections in POST_ROUTING, and therefore
   - Dropped connections are not confirmed
   - Accepted connections are confirmed twice, and that's harmless ?

Thanks
Gilad