From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: alucard@kanux.com
Cc: netfilter@lists.netfilter.org
Subject: Re: forwarding
Date: Tue, 18 May 2004 10:39:41 -0400 [thread overview]
Message-ID: <1084891180.6410.18.camel@localhost> (raw)
In-Reply-To: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105>
I think I see it - I'll add a comment in your e-mail within brackets []
On Tue, 2004-05-18 at 10:22, alucard@kanux.com wrote:
> Hi there again,
>
> I finally decided to add a second card to both, the server and the
> client to be able to forward packets from port 8080 in server 1 to port
> 80 in server 2 and somehow this packets are not going thru, let me
> explain my scenario
>
> Internet Address
> Nat'ed Address
> ---------------
> | Linux Box |
> Server 1 |10.73.219.156|nat'ed' address
> | 192.168.0.1 |2nd NIC to forward packets
> ---------------
> 8080
> |
> |
> 80
> ---------------
> | web server |
> Server 2 | 192.168.0.2 |
> | |
> ---------------
>
>
> - Server 1 has a natted addres using it's 10.73; what I'm trying to do is
> that evrything that comes to 10.73.219.156:8080 gets forwarded to
> 192.168.0.2:80.
>
> - Server 1 functions as a webserver and that's why I'm using port 8080 in
> order to forward packets to port 80 in server 2
>
> - Here's my Server 1's /etc/rc.d/rc.firewall script because somehow it's
> not working:
>
> -----
> echo "Borrando posibles reglas anteriores..."
> iptables -F
> iptables -X
>
> echo "Habilitando politicas de negacion total de paquetes"
>
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
>
> echo "Reglas para paquetes de entrada y salida"
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>
> ##internas
> iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
>
> #para el forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \
> -j DNAT --to-destination 192.168.0.2:80
[JAS - isn't the packet coming in on 10.73.219.156? In other words, your
NAT rule should be:
iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j
DNAT --to-destination 192.168.0.2:80]
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -----
>
> I have done this many times and somehow this time is not working, that
> means that I have changed many things using postrouting, nat and dnat. Is
> it because any missconfiguration on Server 2's route? here's the output:
>
> -----
> [root@linserv root]# route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
> 10.73.216.0 * 255.255.252.0 U 0 0 0 eth0
> 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
> default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
> -----
>
> Is it because I have to use different INPUT rules? for what I know, INPUT
> rules are only for the packets going to the computer itself.
>
> Any suggestions will be great
> Thanks a lot as usual to this great mailing list
>
> Juan
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-05-18 14:39 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-18 14:22 forwarding alucard
2004-05-18 14:39 ` John A. Sullivan III [this message]
2004-05-18 14:49 ` forwarding alucard
2004-05-18 14:51 ` forwarding John A. Sullivan III
2004-05-18 14:56 ` forwarding Antony Stone
2004-05-18 14:57 ` forwarding alucard
2004-05-18 14:58 ` forwarding John A. Sullivan III
2004-05-18 15:12 ` forwarding alucard
2004-05-18 15:53 ` forwarding John A. Sullivan III
2004-05-18 16:38 ` forwarding alucard
2004-05-18 17:02 ` forwarding John A. Sullivan III
2004-05-18 18:21 ` forwarding alucard
2004-05-18 18:28 ` forwarding Antony Stone
2004-05-18 18:42 ` forwarding alucard
2004-05-18 19:22 ` forwarding John A. Sullivan III
2004-05-18 21:33 ` forwarding Antony Stone
2004-05-19 4:56 ` forwarding Juan Hernandez
2004-05-18 15:09 ` forwarding Antony Stone
2004-05-18 15:40 ` forwarding alucard
2004-05-18 15:53 ` forwarding Antony Stone
2004-05-18 14:44 ` forwarding Antony Stone
-- strict thread matches above, loose matches on Subject: below --
2004-05-18 20:48 forwarding Daniel Chemko
2004-05-18 21:15 ` forwarding John A. Sullivan III
2004-05-18 20:33 forwarding Daniel Chemko
2004-05-18 18:23 forwarding Daniel Chemko
2004-05-18 18:42 ` forwarding Antony Stone
2004-05-18 18:50 ` forwarding alucard
2004-05-18 19:15 ` forwarding John A. Sullivan III
2004-05-18 18:04 forwarding Daniel Chemko
2004-05-18 17:04 forwarding CPD - David Cardeñosa Rubio
2004-05-18 15:33 forwarding CPD - David Cardeñosa Rubio
2004-05-18 15:47 ` forwarding John A. Sullivan III
2004-05-18 15:51 ` forwarding Antony Stone
2002-07-08 3:25 forwarding Tim
2002-07-08 0:30 ` forwarding Antony Stone
[not found] ` <003801c22632$521c93a0$1606d6d1@nebuchadnezza>
2002-07-08 0:53 ` forwarding Antony Stone
2002-07-08 4:03 ` forwarding Tim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1084891180.6410.18.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=alucard@kanux.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox