* Port forwarding how ?? @ 2003-01-14 23:16 Sasa Ugrenovic 2003-01-14 23:44 ` Scott Taylor 2003-01-15 17:16 ` Jeff Largent 0 siblings, 2 replies; 14+ messages in thread From: Sasa Ugrenovic @ 2003-01-14 23:16 UTC (permalink / raw) To: linux-admin Anyone configured port forwarding that worked ? I was reading lot's of howto documents, but i was unable to configure that thing. iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT --to 192.168.0.14 This is how i configured it .. but it doesn't work .. anyone have any idea or something .. ? Thanks. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-14 23:16 Port forwarding how ?? Sasa Ugrenovic @ 2003-01-14 23:44 ` Scott Taylor [not found] ` <1042589738.28248.16.camel@marvin.bl.gozostudios.com> 2003-01-15 17:16 ` Jeff Largent 1 sibling, 1 reply; 14+ messages in thread From: Scott Taylor @ 2003-01-14 23:44 UTC (permalink / raw) To: linux-admin At 03:16 PM 1/14/03, you wrote: >Anyone configured port forwarding that worked ? Yes. >I was reading lot's of howto documents, but i was unable to configure >that thing. > > >iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT >--to 192.168.0.14 > >This is how i configured it .. but it doesn't work .. anyone have any >idea or something .. ? That alone is not going to do a lot for you. Here is a HowTo that should help: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html Then snoop around David's site and read the TrinityOS docs: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <1042589738.28248.16.camel@marvin.bl.gozostudios.com>]
* Re: Port forwarding how ?? [not found] ` <1042589738.28248.16.camel@marvin.bl.gozostudios.com> @ 2003-01-15 15:01 ` Scott Taylor 2003-01-15 17:10 ` Jeff Largent 2003-01-15 15:04 ` Scott Taylor 1 sibling, 1 reply; 14+ messages in thread From: Scott Taylor @ 2003-01-15 15:01 UTC (permalink / raw) To: Sasa Ugrenovic; +Cc: linux-admin Please make your replies to the list. At 04:15 PM 1/14/03, you wrote: >Ok, >And what about this ? >( I read this on that link you provided to me ) > >iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT >iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to >192.168.0.14:3306 > >When i try to connect on server where i entered rules i writed above, I >get the following: > >[root@gatekeeper root]# telnet 192.168.0.13 3306 >Trying 192.168.0.13... > >[root@gatekeeper root]# > >192.168.0.13 = server where i entered the iptables ... which i need to >redirect me to 192.168.0.14 >192.168.0.14 = server running mysql ( port 3306 ). > > >On Wed, 2003-01-15 at 00:44, Scott Taylor wrote: > > At 03:16 PM 1/14/03, you wrote: > > >Anyone configured port forwarding that worked ? > > > > Yes. > > > > > > >I was reading lot's of howto documents, but i was unable to configure > > >that thing. > > > > > > > > >iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT > > >--to 192.168.0.14 > > > > > >This is how i configured it .. but it doesn't work .. anyone have any > > >idea or something .. ? > > > > That alone is not going to do a lot for you. > > > > Here is a HowTo that should help: > > http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html > > > > Then snoop around David's site and read the TrinityOS docs: > > http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html > > > > - > > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 15:01 ` Scott Taylor @ 2003-01-15 17:10 ` Jeff Largent 0 siblings, 0 replies; 14+ messages in thread From: Jeff Largent @ 2003-01-15 17:10 UTC (permalink / raw) To: Scott Taylor; +Cc: Sasa Ugrenovic, linux-admin You also need a POSTROUTING for the return. iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.14 --sport 3306 -j SNAT --to-source <ip of host doing the original port forward> If you don't have this the forwarding host will gladly forward the message with the 192.168.0.14 ip, that you have no way of directly contacting. Jeff Scott Taylor wrote: > Please make your replies to the list. > > At 04:15 PM 1/14/03, you wrote: > >> Ok, >> And what about this ? >> ( I read this on that link you provided to me ) >> >> iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT >> iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to >> 192.168.0.14:3306 >> >> When i try to connect on server where i entered rules i writed above, I >> get the following: >> >> [root@gatekeeper root]# telnet 192.168.0.13 3306 >> Trying 192.168.0.13... >> >> [root@gatekeeper root]# >> >> 192.168.0.13 = server where i entered the iptables ... which i need to >> redirect me to 192.168.0.14 >> 192.168.0.14 = server running mysql ( port 3306 ). >> >> >> On Wed, 2003-01-15 at 00:44, Scott Taylor wrote: >> > At 03:16 PM 1/14/03, you wrote: >> > >Anyone configured port forwarding that worked ? >> > >> > Yes. >> > >> > >> > >I was reading lot's of howto documents, but i was unable to configure >> > >that thing. >> > > >> > > >> > >iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT >> > >--to 192.168.0.14 >> > > >> > >This is how i configured it .. but it doesn't work .. anyone have any >> > >idea or something .. ? >> > >> > That alone is not going to do a lot for you. >> > >> > Here is a HowTo that should help: >> > http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html >> > >> > Then snoop around David's site and read the TrinityOS docs: >> > http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html >> > >> > - >> > To unsubscribe from this list: send the line "unsubscribe >> linux-admin" in >> > the body of a message to majordomo@vger.kernel.org >> > More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- Jeff Largent ImageLinks, Inc. Sr System Admin Melbourne, Fl 32935 (321) 253-0011 fax:(321) 253-5559 ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? [not found] ` <1042589738.28248.16.camel@marvin.bl.gozostudios.com> 2003-01-15 15:01 ` Scott Taylor @ 2003-01-15 15:04 ` Scott Taylor 2003-01-15 17:06 ` Sasa Ugrenovic 1 sibling, 1 reply; 14+ messages in thread From: Scott Taylor @ 2003-01-15 15:04 UTC (permalink / raw) To: linux-admin At 04:15 PM 1/14/03, you wrote: >Ok, >And what about this ? >( I read this on that link you provided to me ) > >iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT >iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to >192.168.0.14:3306 > >When i try to connect on server where i entered rules i writed above, I >get the following: > >[root@gatekeeper root]# telnet 192.168.0.13 3306 >Trying 192.168.0.13... > >[root@gatekeeper root]# > >192.168.0.13 = server where i entered the iptables ... which i need to >redirect me to 192.168.0.14 >192.168.0.14 = server running mysql ( port 3306 ). More information is still needed. How can anyone debug a script that we can only see a few lines of? My _guess_ is the server at 192.168.0.13 does not have it's gateway pointing to the NAT server. A common mistake. Scott. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 15:04 ` Scott Taylor @ 2003-01-15 17:06 ` Sasa Ugrenovic 2003-01-15 17:41 ` Jeff Largent 0 siblings, 1 reply; 14+ messages in thread From: Sasa Ugrenovic @ 2003-01-15 17:06 UTC (permalink / raw) To: linux-admin Hi,sorry for sending mail before this to you Scott. Let's forget the e-mails that I and you send before this one. This is what I need to have. 192.168.0.13 - Server located in LAN ( behind NAT and firewall ). - rh8.0 192.168.0.1 - NAT,Firewall server. - rh 7.3 I have Counter Strike server located on 192.168.0.13, 27015 port. Now,no one on the internet can see that server, they can see only NAT server, 192.168.0.1. Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to redirect connection to internal 192.168.0.13:27015 server. My routes are configured correctly ... On Wed, 2003-01-15 at 16:04, Scott Taylor wrote: > At 04:15 PM 1/14/03, you wrote: > >Ok, > >And what about this ? > >( I read this on that link you provided to me ) > > > >iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT > >iptables -A PREROUTING -t nat -p tcp --dport 3306 -j DNAT --to > >192.168.0.14:3306 > > > >When i try to connect on server where i entered rules i writed above, I > >get the following: > > > >[root@gatekeeper root]# telnet 192.168.0.13 3306 > >Trying 192.168.0.13... > > > >[root@gatekeeper root]# > > > >192.168.0.13 = server where i entered the iptables ... which i need to > >redirect me to 192.168.0.14 > >192.168.0.14 = server running mysql ( port 3306 ). > > More information is still needed. How can anyone debug a script that we > can only see a few lines of? > > My _guess_ is the server at 192.168.0.13 does not have it's gateway > pointing to the NAT server. A common mistake. > > Scott. > > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 17:06 ` Sasa Ugrenovic @ 2003-01-15 17:41 ` Jeff Largent 2003-01-15 18:24 ` Sasa Ugrenovic 2003-01-15 20:09 ` urgrue 0 siblings, 2 replies; 14+ messages in thread From: Jeff Largent @ 2003-01-15 17:41 UTC (permalink / raw) To: Sasa Ugrenovic; +Cc: linux-admin assuming: eth0 = 192.168.0.1 eth1 = 192.168.0.13 and all tables are DENY by default iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.13:27015 iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 27015 -j SNAT --to-source 192.168.0.1:27015 iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP Just a quick throw together but I think should work. Sasa Ugrenovic wrote: > Hi,sorry for sending mail before this to you Scott. > > Let's forget the e-mails that I and you send before this one. > > This is what I need to have. > > 192.168.0.13 - Server located in LAN ( behind NAT and firewall ). - > rh8.0 > > 192.168.0.1 - NAT,Firewall server. - rh 7.3 > > I have Counter Strike server located on 192.168.0.13, 27015 port. > > Now,no one on the internet can see that server, they can see only NAT > server, 192.168.0.1. > > Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to > redirect connection to internal 192.168.0.13:27015 server. > > My routes are configured correctly ... > > > > -- Jeff Largent ImageLinks, Inc. Sr System Admin Melbourne, Fl 32935 (321) 253-0011 fax:(321) 253-5559 ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 17:41 ` Jeff Largent @ 2003-01-15 18:24 ` Sasa Ugrenovic 2003-01-15 20:09 ` urgrue 1 sibling, 0 replies; 14+ messages in thread From: Sasa Ugrenovic @ 2003-01-15 18:24 UTC (permalink / raw) To: linux-admin Hmm .. Not working. eth0 - 192.168.0.1 - my NAT server,ruter,firewall [this is internal LAN address] eth1 - my wireless IP - where the packets should be comming to the 27015 port from the outside(internet). This server is already configure for NATING,Firewalling,Routing. So,when i add these rules : iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.13:27015 iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 27015 -j SNAT --to-source 192.168.0.1:27015 iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP I changed a little, like you didn't add -t nat behind PREROUTING and so on ... So, can you now fix these lines above to match my system .. Sorry for troubling you, but i don't know where i'm wrong in this issue. Thanks in advance. On Wed, 2003-01-15 at 18:41, Jeff Largent wrote: > assuming: > eth0 = 192.168.0.1 > eth1 = 192.168.0.13 > and all tables are DENY by default > > iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT > > iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT > --to-destination 192.168.0.13:27015 > > iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport 27015 -j > SNAT --to-source 192.168.0.1:27015 > > iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT > iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT > iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP > > > Just a quick throw together but I think should work. > > Sasa Ugrenovic wrote: > > Hi,sorry for sending mail before this to you Scott. > > > > Let's forget the e-mails that I and you send before this one. > > > > This is what I need to have. > > > > 192.168.0.13 - Server located in LAN ( behind NAT and firewall ). - > > rh8.0 > > > > 192.168.0.1 - NAT,Firewall server. - rh 7.3 > > > > I have Counter Strike server located on 192.168.0.13, 27015 port. > > > > Now,no one on the internet can see that server, they can see only NAT > > server, 192.168.0.1. > > > > Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to > > redirect connection to internal 192.168.0.13:27015 server. > > > > My routes are configured correctly ... > > > > > > > > > -- > Jeff Largent ImageLinks, Inc. > Sr System Admin Melbourne, Fl 32935 > (321) 253-0011 fax:(321) 253-5559 > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 17:41 ` Jeff Largent 2003-01-15 18:24 ` Sasa Ugrenovic @ 2003-01-15 20:09 ` urgrue 2003-01-15 20:37 ` Sasa Ugrenovic 1 sibling, 1 reply; 14+ messages in thread From: urgrue @ 2003-01-15 20:09 UTC (permalink / raw) To: Sasa Ugrenovic; +Cc: linux-admin i havent slept in far too long, so please excuse me if im totally speaking nonsense. -shouldnt eth0 here be the external interface and eth1 the internal (ie eth0=presumably some publc IP, eth1=192.168.0.1, while 192.168.0.13 is on the counter-strike server)? -likewise if my assumption is correct then all occurences of 192.168.0.1 should probably be replaced with the public IP. -did i miss some previous post, or are those 17015s just typos (i thought it was 27015) -the third and fourth lines must have "-t nat" before the -A -i THINK the fourth line is redundant. at least in my experience it seems netfilter always "un"-nats a natted connection, i dont know if this is default behaviour or if its just something in suse. -you can skip line four if your firewall is your default gateway and masquerades all your lan traffic anyway. -should the sixth line again be --sport instead of --dport? -maybe you dont want the last line. this would prevent connections to the server from the outside, which i assumed was the whole point of the exercise (a cs server)? hope i didnt just make a fool of myself, i blame it on the sleeplessness. fred >assuming: > eth0 = 192.168.0.1 > eth1 = 192.168.0.13 > and all tables are DENY by default > >iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT >iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT > >iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT >--to-destination 192.168.0.13:27015 > >iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport >27015 -j SNAT --to-source 192.168.0.1:27015 > >iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT >iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT >iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP > > >Just a quick throw together but I think should work. > >Sasa Ugrenovic wrote: >>Hi,sorry for sending mail before this to you Scott. >>Let's forget the e-mails that I and you send before this one. >>This is what I need to have. >>192.168.0.13 - Server located in LAN ( behind NAT and firewall ). - >>rh8.0 >>192.168.0.1 - NAT,Firewall server. - rh 7.3 >>I have Counter Strike server located on 192.168.0.13, 27015 port. >>Now,no one on the internet can see that server, they can see only NAT >>server, 192.168.0.1. >>Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to >>redirect connection to internal 192.168.0.13:27015 server. >>My routes are configured correctly ... >> >-- >Jeff Largent ImageLinks, Inc. >Sr System Admin Melbourne, Fl 32935 >(321) 253-0011 fax:(321) 253-5559 > >- >To unsubscribe from this list: send the line "unsubscribe linux-admin" in >the body of a message to majordomo@vger.kernel.org >More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 20:09 ` urgrue @ 2003-01-15 20:37 ` Sasa Ugrenovic 2003-01-15 20:58 ` urgrue 2003-01-15 21:07 ` Scott Taylor 0 siblings, 2 replies; 14+ messages in thread From: Sasa Ugrenovic @ 2003-01-15 20:37 UTC (permalink / raw) To: linux-admin No, eth0 is internal iface, and eth1 is external. 27015 is the port .. Whatever i do, it doesn't work. I know that -t nat needs to be before -A POSTROUTING ... but,that's not an issue here ... Now, this is what I typed in my console on NAT server. --- START --- /sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport 27015 -j DNAT --to 192.168.0.13:27015 /sbin/iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.13/32 -j SNAT --to $EXTIP iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT --- END --- And this doesn't work .. anyone know why ? On Wed, 2003-01-15 at 21:09, urgrue wrote: > i havent slept in far too long, so please excuse me if im totally speaking > nonsense. > -shouldnt eth0 here be the external interface and eth1 the internal (ie > eth0=presumably some publc IP, eth1=192.168.0.1, while 192.168.0.13 is on > the counter-strike server)? > -likewise if my assumption is correct then all occurences of 192.168.0.1 > should probably be replaced with the public IP. > -did i miss some previous post, or are those 17015s just typos (i thought > it was 27015) > -the third and fourth lines must have "-t nat" before the -A > -i THINK the fourth line is redundant. at least in my experience it seems > netfilter always "un"-nats a natted connection, i dont know if this is > default behaviour or if its just something in suse. > -you can skip line four if your firewall is your default gateway and > masquerades all your lan traffic anyway. > -should the sixth line again be --sport instead of --dport? > -maybe you dont want the last line. this would prevent connections to the > server from the outside, which i assumed was the whole point of the > exercise (a cs server)? > > hope i didnt just make a fool of myself, i blame it on the sleeplessness. > > fred > > > >assuming: > > eth0 = 192.168.0.1 > > eth1 = 192.168.0.13 > > and all tables are DENY by default > > > >iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 17015 -j ACCEPT > >iptables -A INPUT -i eth1 -p tcp --dport 17015 -j ACCEPT > > > >iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 27015 -j DNAT > >--to-destination 192.168.0.13:27015 > > > >iptables -A POSTROUTING -s 192.168.0.13 -o eth0 -p tcp -m tcp --sport > >27015 -j SNAT --to-source 192.168.0.1:27015 > > > >iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT > >iptables -A FORWARD -i eth1 --dport 27015 -j ACCEPT > >iptables -A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP > > > > > >Just a quick throw together but I think should work. > > > >Sasa Ugrenovic wrote: > >>Hi,sorry for sending mail before this to you Scott. > >>Let's forget the e-mails that I and you send before this one. > >>This is what I need to have. > >>192.168.0.13 - Server located in LAN ( behind NAT and firewall ). - > >>rh8.0 > >>192.168.0.1 - NAT,Firewall server. - rh 7.3 > >>I have Counter Strike server located on 192.168.0.13, 27015 port. > >>Now,no one on the internet can see that server, they can see only NAT > >>server, 192.168.0.1. > >>Now, i need to, when connecting on nat server 192.168.0.1:27015 UDP to > >>redirect connection to internal 192.168.0.13:27015 server. > >>My routes are configured correctly ... > >> > >-- > >Jeff Largent ImageLinks, Inc. > >Sr System Admin Melbourne, Fl 32935 > >(321) 253-0011 fax:(321) 253-5559 > > > >- > >To unsubscribe from this list: send the line "unsubscribe linux-admin" in > >the body of a message to majordomo@vger.kernel.org > >More majordomo info at http://vger.kernel.org/majordomo-info.html > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 20:37 ` Sasa Ugrenovic @ 2003-01-15 20:58 ` urgrue 2003-01-15 21:15 ` Sasa Ugrenovic 2003-01-15 21:07 ` Scott Taylor 1 sibling, 1 reply; 14+ messages in thread From: urgrue @ 2003-01-15 20:58 UTC (permalink / raw) To: Sasa Ugrenovic, linux-admin those should be --to-destination not just --to ask your friend or whoever is on the outside to try connecting, while you do: tcpdump -i eth0 -n port 27015 so you can see if the address is getting natted. or if its even entering the lan at all. as you are adding these rules (-A), maybe you have some previous rules that ruin your intentions? ie try inserting them (-I) instead. also when you say its not working do you mean the game isnt working or the packets arent going through? cause maybe your rules are doing what you want them to, but the game needs something more? like does it use any other ports? does it use udp? tcpdump should help spot those as well. (try tcpdump -i eth0 -n host $your_friends_IP) you can also look at iptables counters (iptables -L -nv or iptables -t nat -L -nv). if necessary add bogus rules without any target, just to count packets. this will help you see what rule the packets are matching against. >/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport >27015 -j DNAT --to 192.168.0.13:27015 > >/sbin/iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.13/32 -j SNAT >--to $EXTIP > >iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 20:58 ` urgrue @ 2003-01-15 21:15 ` Sasa Ugrenovic 0 siblings, 0 replies; 14+ messages in thread From: Sasa Ugrenovic @ 2003-01-15 21:15 UTC (permalink / raw) To: linux-admin It's now working !! L;-} This is the configuration: iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.0.13 --dport 27015 -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp -d $EXTIP --dport 27015 -j DNAT --to 192.168.0.13:27015 Simple as that ! L;-} On Wed, 2003-01-15 at 21:58, urgrue wrote: > those should be --to-destination not just --to > ask your friend or whoever is on the outside to try connecting, while you do: > tcpdump -i eth0 -n port 27015 > so you can see if the address is getting natted. or if its even entering > the lan at all. > > as you are adding these rules (-A), maybe you have some previous rules that > ruin your intentions? > ie try inserting them (-I) instead. > > also when you say its not working do you mean the game isnt working or the > packets arent going through? cause maybe your rules are doing what you want > them to, but the game needs something more? like does it use any other > ports? does it use udp? tcpdump should help spot those as well. > (try tcpdump -i eth0 -n host $your_friends_IP) > > you can also look at iptables counters (iptables -L -nv or iptables -t nat > -L -nv). if necessary add bogus rules without any target, just to count > packets. this will help you see what rule the packets are matching against. > > > > > >/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport > >27015 -j DNAT --to 192.168.0.13:27015 > > > >/sbin/iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.13/32 -j SNAT > >--to $EXTIP > > > >iptables -A FORWARD -i eth0 -d 192.168.0.13 --dport 27015 -j ACCEPT > > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-15 20:37 ` Sasa Ugrenovic 2003-01-15 20:58 ` urgrue @ 2003-01-15 21:07 ` Scott Taylor 1 sibling, 0 replies; 14+ messages in thread From: Scott Taylor @ 2003-01-15 21:07 UTC (permalink / raw) To: linux-admin At 12:37 PM 1/15/03, you wrote: >No, >eth0 is internal iface, and eth1 is external. > >27015 is the port .. > >Whatever i do, it doesn't work. > >I know that -t nat needs to be before -A POSTROUTING ... >but,that's not an issue here ... > >Now, this is what I typed in my console on NAT server. > >--- START --- > >/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 -d $EXTIP --dport > >And this doesn't work .. anyone know why ? Because you typed it? How does IPTables know what $EXTIP is? Here is a script, taken right out of the IPMasq HowTo, that works. Follow/Change the examples in the script to add more rules. Anything else, it's something in your networking. -------- #!/bin/sh # # rc.firewall-2.4 FWVER=0.70 # # Thanks to David Ranch's IPMasq HowTo # Initial SIMPLE IP Masquerade test for 2.4.x kernels # using IPTABLES. # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod INSMOD=/sbin/insmod EXTIP="xxx.xx.xx.xxx" # your external IP here. EXTIF="eth1" INTIF="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $INSMOD ip_tables echo -en "ip_conntrack, " $INSMOD ip_conntrack echo -en "iptable_nat, " $INSMOD iptable_nat echo "----------------------------------------------------------------------" echo ". Done loading modules." echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Reject telnet sessions from outside $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT # Forward HTTPS requests (change the port number to suit yourself) $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ -j DNAT --to 192.168.0.13:443 $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.13 echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 v$FWVER done.\n" -------- ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Port forwarding how ?? 2003-01-14 23:16 Port forwarding how ?? Sasa Ugrenovic 2003-01-14 23:44 ` Scott Taylor @ 2003-01-15 17:16 ` Jeff Largent 1 sibling, 0 replies; 14+ messages in thread From: Jeff Largent @ 2003-01-15 17:16 UTC (permalink / raw) To: Sasa Ugrenovic; +Cc: linux-admin One of the best tools for debuging is tcpdump. Run one copy on the machine your trying to connect from, two on the machine with iptables and a final copy on the machine you forwarding to. on machine trying to connect from. tcpdump src port 3306 on machine with iptables tcpdump src host <ip of above machine> dest port 3306 and tcpdump src host <ip of this machine> dest host 192.168.0.14 dest port 3306 on 192.168.0.14 tcpdump scr host <ip of above machine> dest port 3306 on the machine with iptables you should see the connect from the machine you are trying to connect from, and see it go out to 192.168.0.14 on the machine connecting from make sure any response you get back is from the ip of the machine running iptables and not the 192.168.0.14 ip. Jeff Sasa Ugrenovic wrote: > Anyone configured port forwarding that worked ? > > I was reading lot's of howto documents, but i was unable to configure > that thing. > > > iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 3306 -j DNAT > --to 192.168.0.14 > > This is how i configured it .. but it doesn't work .. anyone have any > idea or something .. ? > > Thanks. > > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- Jeff Largent ImageLinks, Inc. Sr System Admin Melbourne, Fl 32935 (321) 253-0011 fax:(321) 253-5559 ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2003-01-15 21:15 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-14 23:16 Port forwarding how ?? Sasa Ugrenovic
2003-01-14 23:44 ` Scott Taylor
[not found] ` <1042589738.28248.16.camel@marvin.bl.gozostudios.com>
2003-01-15 15:01 ` Scott Taylor
2003-01-15 17:10 ` Jeff Largent
2003-01-15 15:04 ` Scott Taylor
2003-01-15 17:06 ` Sasa Ugrenovic
2003-01-15 17:41 ` Jeff Largent
2003-01-15 18:24 ` Sasa Ugrenovic
2003-01-15 20:09 ` urgrue
2003-01-15 20:37 ` Sasa Ugrenovic
2003-01-15 20:58 ` urgrue
2003-01-15 21:15 ` Sasa Ugrenovic
2003-01-15 21:07 ` Scott Taylor
2003-01-15 17:16 ` Jeff Largent
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).