Port forwarding how ??

Port forwarding how ??

[Sasa Ugrenovic]

Anyone configured port forwarding that worked ?

I was reading lot's of howto documents, but i was unable to configure
that thing.


iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT
--to 192.168.0.14

This is how i configured it .. but it doesn't work .. anyone have any
idea or something .. ?

Thanks.

Re: Port forwarding how ??

[Scott Taylor]

At 03:16 PM 1/14/03, you wrote:
>Anyone configured port forwarding that worked ?

Yes.


>I was reading lot's of howto documents, but i was unable to configure
>that thing.
>
>
>iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT
>--to 192.168.0.14
>
>This is how i configured it .. but it doesn't work .. anyone have any
>idea or something .. ?

That alone is not going to do a lot for you.

Here is a HowTo that should help:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html

Then snoop around David's site and read the TrinityOS docs:
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html

Re: Port forwarding how ??

[Scott Taylor]

Please make your replies to the list.

At 04:15 PM 1/14/03, you wrote:
>Ok,
>And what about this ?
>( I read this on that link you provided to me )
>
>iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
>iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to
>192.168.0.14:3306
>
>When i try to connect on server where i entered rules i writed above, I
>get the following:
>
>[root@gatekeeper root]# telnet 192.168.0.13 3306
>Trying 192.168.0.13...
>
>[root@gatekeeper root]#
>
>192.168.0.13 = server where i entered the iptables ... which i need to
>redirect me to 192.168.0.14
>192.168.0.14 = server running mysql ( port 3306 ).
>
>
>On Wed, 2003-01-15 at 00:44, Scott Taylor wrote:
> > At 03:16 PM 1/14/03, you wrote:
> > >Anyone configured port forwarding that worked ?
> >
> > Yes.
> >
> >
> > >I was reading lot's of howto documents, but i was unable to configure
> > >that thing.
> > >
> > >
> > >iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT
> > >--to 192.168.0.14
> > >
> > >This is how i configured it .. but it doesn't work .. anyone have any
> > >idea or something .. ?
> >
> > That alone is not going to do a lot for you.
> >
> > Here is a HowTo that should help:
> > http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html
> >
> > Then snoop around David's site and read the TrinityOS docs:
> > http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >

Re: Port forwarding how ??

[Scott Taylor]

At 04:15 PM 1/14/03, you wrote:
>Ok,
>And what about this ?
>( I read this on that link you provided to me )
>
>iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
>iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to
>192.168.0.14:3306
>
>When i try to connect on server where i entered rules i writed above, I
>get the following:
>
>[root@gatekeeper root]# telnet 192.168.0.13 3306
>Trying 192.168.0.13...
>
>[root@gatekeeper root]#
>
>192.168.0.13 = server where i entered the iptables ... which i need to
>redirect me to 192.168.0.14
>192.168.0.14 = server running mysql ( port 3306 ).

More information is still needed.  How can anyone debug a script that we 
can only see a few lines of?

My _guess_ is the server at 192.168.0.13 does not have it's gateway 
pointing to the NAT server.  A common mistake.

Scott.

Re: Port forwarding how ??

[Sasa Ugrenovic]

Hi,sorry for sending mail before this to you Scott.

Let's forget the e-mails that I and you send before this one.

This is what I need to have.

192.168.0.13 - Server located in LAN ( behind NAT and firewall ). -
rh8.0

192.168.0.1 - NAT,Firewall server. - rh 7.3

I have Counter Strike server located on 192.168.0.13, 27015 port.

Now,no one on the internet can see that server, they can see only NAT
server, 192.168.0.1.

Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to
redirect connection to internal 192.168.0.13:27015 server.

My routes are configured correctly ...



On Wed, 2003-01-15 at 16:04, Scott Taylor wrote:
> At 04:15 PM 1/14/03, you wrote:
> >Ok,
> >And what about this ?
> >( I read this on that link you provided to me )
> >
> >iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
> >iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to
> >192.168.0.14:3306
> >
> >When i try to connect on server where i entered rules i writed above, I
> >get the following:
> >
> >[root@gatekeeper root]# telnet 192.168.0.13 3306
> >Trying 192.168.0.13...
> >
> >[root@gatekeeper root]#
> >
> >192.168.0.13 = server where i entered the iptables ... which i need to
> >redirect me to 192.168.0.14
> >192.168.0.14 = server running mysql ( port 3306 ).
> 
> More information is still needed.  How can anyone debug a script that we 
> can only see a few lines of?
> 
> My _guess_ is the server at 192.168.0.13 does not have it's gateway 
> pointing to the NAT server.  A common mistake.
> 
> Scott.
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: Port forwarding how ??

[Jeff Largent]

You also need a POSTROUTING for the return.
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.14 --sport 3306 -j SNAT 
--to-source <ip of host doing the original port forward>

If you don't have this the forwarding host will gladly forward the message
with the 192.168.0.14 ip, that you have no way of directly contacting.

Jeff

Scott Taylor wrote:
> Please make your replies to the list.
> 
> At 04:15 PM 1/14/03, you wrote:
> 
>> Ok,
>> And what about this ?
>> ( I read this on that link you provided to me )
>>
>> iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
>> iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to
>> 192.168.0.14:3306
>>
>> When i try to connect on server where i entered rules i writed above, I
>> get the following:
>>
>> [root@gatekeeper root]# telnet 192.168.0.13 3306
>> Trying 192.168.0.13...
>>
>> [root@gatekeeper root]#
>>
>> 192.168.0.13 = server where i entered the iptables ... which i need to
>> redirect me to 192.168.0.14
>> 192.168.0.14 = server running mysql ( port 3306 ).
>>
>>
>> On Wed, 2003-01-15 at 00:44, Scott Taylor wrote:
>> > At 03:16 PM 1/14/03, you wrote:
>> > >Anyone configured port forwarding that worked ?
>> >
>> > Yes.
>> >
>> >
>> > >I was reading lot's of howto documents, but i was unable to configure
>> > >that thing.
>> > >
>> > >
>> > >iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT
>> > >--to 192.168.0.14
>> > >
>> > >This is how i configured it .. but it doesn't work .. anyone have any
>> > >idea or something .. ?
>> >
>> > That alone is not going to do a lot for you.
>> >
>> > Here is a HowTo that should help:
>> > http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html
>> >
>> > Then snoop around David's site and read the TrinityOS docs:
>> > http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
>> >
>> > -
>> > To unsubscribe from this list: send the line "unsubscribe 
>> linux-admin" in
>> > the body of a message to majordomo@vger.kernel.org
>> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> >
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

-- 
Jeff Largent                   ImageLinks, Inc.
Sr System Admin                Melbourne, Fl 32935
(321) 253-0011                 fax:(321) 253-5559

Re: Port forwarding how ??

[Jeff Largent]

One of the best tools for debuging is tcpdump.  Run one copy on the
machine your trying to connect from, two on the machine with iptables
and a final copy on the machine you forwarding to.

on machine trying to connect from.
tcpdump src port 3306

on machine with iptables
tcpdump src host <ip of above machine> dest port 3306
and
tcpdump src host <ip of this machine> dest host 192.168.0.14 dest port 3306

on 192.168.0.14
tcpdump scr host <ip of above machine> dest port 3306

on the machine with iptables you should see the connect from the machine
you are trying to connect from, and see it go out to 192.168.0.14

on the machine connecting from make sure any response you get back is
from the ip of the machine running iptables and not the 192.168.0.14 ip.

Jeff

Sasa Ugrenovic wrote:
> Anyone configured port forwarding that worked ?
> 
> I was reading lot's of howto documents, but i was unable to configure
> that thing.
> 
> 
> iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT
> --to 192.168.0.14
> 
> This is how i configured it .. but it doesn't work .. anyone have any
> idea or something .. ?
> 
> Thanks.
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

-- 
Jeff Largent                   ImageLinks, Inc.
Sr System Admin                Melbourne, Fl 32935
(321) 253-0011                 fax:(321) 253-5559

Re: Port forwarding how ??

[Jeff Largent]

assuming:
	eth0 = 192.168.0.1
	eth1 = 192.168.0.13
	and all tables are DENY by default

iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT

iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT 
--to-destination 192.168.0.13:27015

iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 27015 -j 
SNAT --to-source 192.168.0.1:27015

iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT
iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP


Just a quick throw together but I think should work.

Sasa Ugrenovic wrote:
> Hi,sorry for sending mail before this to you Scott.
> 
> Let's forget the e-mails that I and you send before this one.
> 
> This is what I need to have.
> 
> 192.168.0.13 - Server located in LAN ( behind NAT and firewall ). -
> rh8.0
> 
> 192.168.0.1 - NAT,Firewall server. - rh 7.3
> 
> I have Counter Strike server located on 192.168.0.13, 27015 port.
> 
> Now,no one on the internet can see that server, they can see only NAT
> server, 192.168.0.1.
> 
> Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to
> redirect connection to internal 192.168.0.13:27015 server.
> 
> My routes are configured correctly ...
> 
> 
> 
>
-- 
Jeff Largent                   ImageLinks, Inc.
Sr System Admin                Melbourne, Fl 32935
(321) 253-0011                 fax:(321) 253-5559

Re: Port forwarding how ??

[Sasa Ugrenovic]

Hmm ..

Not working.

eth0 - 192.168.0.1 - my NAT server,ruter,firewall [this is internal LAN
address]
eth1 - my wireless IP - where the packets should be comming to the 27015
port from the outside(internet).

This server is already configure for NATING,Firewalling,Routing.
So,when i add these rules :

iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT 
 --to-destination 192.168.0.13:27015
 
 iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 27015 -j 
 SNAT --to-source 192.168.0.1:27015
 
 iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT
 iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT
 iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP

I changed a little, like you didn't add -t nat behind PREROUTING and so
on ...

So, can you now fix these lines above to match my system .. 
Sorry for troubling you, but i don't know where i'm wrong in this issue.

Thanks in advance.


On Wed, 2003-01-15 at 18:41, Jeff Largent wrote:
> assuming:
> 	eth0 = 192.168.0.1
> 	eth1 = 192.168.0.13
> 	and all tables are DENY by default
> 
> iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT
> 
> iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT 
> --to-destination 192.168.0.13:27015
> 
> iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 27015 -j 
> SNAT --to-source 192.168.0.1:27015
> 
> iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT
> iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT
> iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP
> 
> 
> Just a quick throw together but I think should work.
> 
> Sasa Ugrenovic wrote:
> > Hi,sorry for sending mail before this to you Scott.
> > 
> > Let's forget the e-mails that I and you send before this one.
> > 
> > This is what I need to have.
> > 
> > 192.168.0.13 - Server located in LAN ( behind NAT and firewall ). -
> > rh8.0
> > 
> > 192.168.0.1 - NAT,Firewall server. - rh 7.3
> > 
> > I have Counter Strike server located on 192.168.0.13, 27015 port.
> > 
> > Now,no one on the internet can see that server, they can see only NAT
> > server, 192.168.0.1.
> > 
> > Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to
> > redirect connection to internal 192.168.0.13:27015 server.
> > 
> > My routes are configured correctly ...
> > 
> > 
> > 
> >
> -- 
> Jeff Largent                   ImageLinks, Inc.
> Sr System Admin                Melbourne, Fl 32935
> (321) 253-0011                 fax:(321) 253-5559
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: Port forwarding how ??

[urgrue]

i havent slept in far too long, so please excuse me if im totally speaking 
nonsense.
-shouldnt eth0 here be the external interface and eth1 the internal (ie 
eth0=presumably some publc IP, eth1=192.168.0.1, while 192.168.0.13 is on 
the counter-strike server)?
-likewise if my assumption is correct then all occurences of 192.168.0.1 
should probably be replaced with the public IP.
-did i miss some previous post, or are those 17015s just typos (i thought 
it was 27015)
-the third and fourth lines must have "-t nat" before the -A
-i THINK the fourth line is redundant. at least in my experience it seems 
netfilter always "un"-nats a natted connection, i dont know if this is 
default behaviour or if its just something in suse.
-you can skip line four if your firewall is your default gateway and 
masquerades all your lan traffic anyway.
-should the sixth line again be --sport instead of --dport?
-maybe you dont want the last line. this would prevent connections to the 
server from the outside, which i assumed was the whole point of the 
exercise (a cs server)?

hope i didnt just make a fool of myself, i blame it on the sleeplessness.

fred


>assuming:
>         eth0 = 192.168.0.1
>         eth1 = 192.168.0.13
>         and all tables are DENY by default
>
>iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT
>iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT
>
>iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT 
>--to-destination 192.168.0.13:27015
>
>iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 
>27015 -j SNAT --to-source 192.168.0.1:27015
>
>iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT
>iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT
>iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP
>
>
>Just a quick throw together but I think should work.
>
>Sasa Ugrenovic wrote:
>>Hi,sorry for sending mail before this to you Scott.
>>Let's forget the e-mails that I and you send before this one.
>>This is what I need to have.
>>192.168.0.13 - Server located in LAN ( behind NAT and firewall ). -
>>rh8.0
>>192.168.0.1 - NAT,Firewall server. - rh 7.3
>>I have Counter Strike server located on 192.168.0.13, 27015 port.
>>Now,no one on the internet can see that server, they can see only NAT
>>server, 192.168.0.1.
>>Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to
>>redirect connection to internal 192.168.0.13:27015 server.
>>My routes are configured correctly ...
>>
>--
>Jeff Largent                   ImageLinks, Inc.
>Sr System Admin                Melbourne, Fl 32935
>(321) 253-0011                 fax:(321) 253-5559
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Port forwarding how ??

[Sasa Ugrenovic]

No,
eth0 is internal iface, and eth1 is external.

27015 is the port .. 

Whatever i do, it doesn't work.

I know that -t nat needs to be before -A POSTROUTING ...
but,that's not an issue here ...

Now, this is what I typed in my console on NAT server.

--- START ---

/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport
27015 -j DNAT --to 192.168.0.13:27015

/sbin/iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.13/32 -j SNAT
--to $EXTIP

iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT

--- END ---

And this doesn't work .. anyone know why ?



On Wed, 2003-01-15 at 21:09, urgrue wrote:
> i havent slept in far too long, so please excuse me if im totally speaking 
> nonsense.
> -shouldnt eth0 here be the external interface and eth1 the internal (ie 
> eth0=presumably some publc IP, eth1=192.168.0.1, while 192.168.0.13 is on 
> the counter-strike server)?
> -likewise if my assumption is correct then all occurences of 192.168.0.1 
> should probably be replaced with the public IP.
> -did i miss some previous post, or are those 17015s just typos (i thought 
> it was 27015)
> -the third and fourth lines must have "-t nat" before the -A
> -i THINK the fourth line is redundant. at least in my experience it seems 
> netfilter always "un"-nats a natted connection, i dont know if this is 
> default behaviour or if its just something in suse.
> -you can skip line four if your firewall is your default gateway and 
> masquerades all your lan traffic anyway.
> -should the sixth line again be --sport instead of --dport?
> -maybe you dont want the last line. this would prevent connections to the 
> server from the outside, which i assumed was the whole point of the 
> exercise (a cs server)?
> 
> hope i didnt just make a fool of myself, i blame it on the sleeplessness.
> 
> fred
> 
> 
> >assuming:
> >         eth0 = 192.168.0.1
> >         eth1 = 192.168.0.13
> >         and all tables are DENY by default
> >
> >iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT
> >iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT
> >
> >iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT 
> >--to-destination 192.168.0.13:27015
> >
> >iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 
> >27015 -j SNAT --to-source 192.168.0.1:27015
> >
> >iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT
> >iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT
> >iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP
> >
> >
> >Just a quick throw together but I think should work.
> >
> >Sasa Ugrenovic wrote:
> >>Hi,sorry for sending mail before this to you Scott.
> >>Let's forget the e-mails that I and you send before this one.
> >>This is what I need to have.
> >>192.168.0.13 - Server located in LAN ( behind NAT and firewall ). -
> >>rh8.0
> >>192.168.0.1 - NAT,Firewall server. - rh 7.3
> >>I have Counter Strike server located on 192.168.0.13, 27015 port.
> >>Now,no one on the internet can see that server, they can see only NAT
> >>server, 192.168.0.1.
> >>Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to
> >>redirect connection to internal 192.168.0.13:27015 server.
> >>My routes are configured correctly ...
> >>
> >--
> >Jeff Largent                   ImageLinks, Inc.
> >Sr System Admin                Melbourne, Fl 32935
> >(321) 253-0011                 fax:(321) 253-5559
> >
> >-
> >To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> >the body of a message to majordomo@vger.kernel.org
> >More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: Port forwarding how ??

[urgrue]

those should be --to-destination not just --to
ask your friend or whoever is on the outside to try connecting, while you do:
tcpdump -i eth0 -n port 27015
so you can see if the address is getting natted. or if its even entering 
the lan at all.

as you are adding these rules (-A), maybe you have some previous rules that 
ruin your intentions?
ie try inserting them (-I) instead.

also when you say its not working do you mean the game isnt working or the 
packets arent going through? cause maybe your rules are doing what you want 
them to, but the game needs something more? like does it use any other 
ports? does it use udp? tcpdump should help spot those as well.
(try tcpdump -i eth0 -n host $your_friends_IP)

you can also look at iptables counters (iptables -L -nv or iptables -t nat 
-L -nv). if necessary add bogus rules without any target, just to count 
packets. this will help you see what rule the packets are matching against.




>/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport
>27015 -j DNAT --to 192.168.0.13:27015
>
>/sbin/iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.13/32 -j SNAT
>--to $EXTIP
>
>iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT

Re: Port forwarding how ??

[Scott Taylor]

At 12:37 PM 1/15/03, you wrote:
>No,
>eth0 is internal iface, and eth1 is external.
>
>27015 is the port ..
>
>Whatever i do, it doesn't work.
>
>I know that -t nat needs to be before -A POSTROUTING ...
>but,that's not an issue here ...
>
>Now, this is what I typed in my console on NAT server.
>
>--- START ---
>
>/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport
>
>And this doesn't work .. anyone know why ?

Because you typed it?  How does IPTables know what $EXTIP is?

Here is a script, taken right out of the IPMasq HowTo, that 
works.  Follow/Change the examples in the script to add more 
rules.  Anything else, it's something in your networking.

--------

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.70
#
# Thanks to David Ranch's IPMasq HowTo
#               Initial SIMPLE IP Masquerade test for 2.4.x kernels
#               using IPTABLES.
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

EXTIP="xxx.xx.xx.xxx" # your external IP here.
EXTIF="eth1"
INTIF="eth0"

echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo -en "   loading modules: "
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo "----------------------------------------------------------------------"
echo -en "ip_tables, "

$INSMOD ip_tables

echo -en "ip_conntrack, "
$INSMOD ip_conntrack

echo -en "iptable_nat, "
$INSMOD iptable_nat

echo "----------------------------------------------------------------------"

echo ".  Done loading modules."

echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Reject telnet sessions from outside
$IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21   -j REJECT

# Forward HTTPS requests  (change the port number to suit yourself)
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state \
   --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
   -j DNAT --to 192.168.0.13:443

$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
    -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.13

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

--------

Re: Port forwarding how ??

[Sasa Ugrenovic]

It's now working !! L;-}

This is the configuration:

iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.0.13 --dport 27015
-j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d $EXTIP --dport 27015 -j
DNAT --to 192.168.0.13:27015

Simple as that ! L;-}


On Wed, 2003-01-15 at 21:58, urgrue wrote:
> those should be --to-destination not just --to
> ask your friend or whoever is on the outside to try connecting, while you do:
> tcpdump -i eth0 -n port 27015
> so you can see if the address is getting natted. or if its even entering 
> the lan at all.
> 
> as you are adding these rules (-A), maybe you have some previous rules that 
> ruin your intentions?
> ie try inserting them (-I) instead.
> 
> also when you say its not working do you mean the game isnt working or the 
> packets arent going through? cause maybe your rules are doing what you want 
> them to, but the game needs something more? like does it use any other 
> ports? does it use udp? tcpdump should help spot those as well.
> (try tcpdump -i eth0 -n host $your_friends_IP)
> 
> you can also look at iptables counters (iptables -L -nv or iptables -t nat 
> -L -nv). if necessary add bogus rules without any target, just to count 
> packets. this will help you see what rule the packets are matching against.
> 
> 
> 
> 
> >/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport
> >27015 -j DNAT --to 192.168.0.13:27015
> >
> >/sbin/iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.13/32 -j SNAT
> >--to $EXTIP
> >
> >iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT
> 
>