johanl Posted July 7, 2004 Report Share Posted July 7, 2004 Hello everyone, I got a little problem with getting ports forwarded with iptables. On a different forum, someone told me that iptables --table nat -A PREROUTING -i internalinterf -p tcp --dport portnr. -j DNAT --to internalip should do the trick. However, my firewall does not forward anything at all... When I do a iptable -L , I get a listing of my active rules as far as I know? Anyway, I don't see any port forwarding rule in there. Am i doing something wrong? Quote Link to comment Share on other sites More sharing options...
Gowator Posted July 7, 2004 Report Share Posted July 7, 2004 make sure your not using shorewall if you want to do this by hand. (its a front end to IPTABLES) Mandrake installs it without asking if you use some of the network wizards... try (as root) shorewall stop... if it works then it was running :D you can then either disable it at startup, uninstall it etc. if not then either you need a better expert than me or RTFM.... not trying to be rude....but IPTABLES is kinda pretty much RTFM or trust an expert (which Im not) p.s. A short HOWTO is at the LDP IP Masqurading Simple HOWTO.. (5 pages including pictures :D) Quote Link to comment Share on other sites More sharing options...
streeter Posted July 7, 2004 Report Share Posted July 7, 2004 >>When I do a iptable -L , I get a listing of my active rules as far as I know? To see the nat table, you need to specify it with: iptables -nvL -t nat You may also need to insert the rule into the PREROUTING table, rather than adding it to the end - use "-I PREROUTING <position>" instead of "-A PREROUTING", otherwise another rule may 'catch' the packets first. Should be OK to do this 'on top' of shorewall, providing it is done after shorewall has run, though to keep things tidy it is best to edit the shorewall files. Chris Quote Link to comment Share on other sites More sharing options...
johanl Posted July 8, 2004 Author Report Share Posted July 8, 2004 (edited) Ok, I did it with the -I PREROUTING without giving it a number though, and when I do a iptable -nvL -t nat I get this: abbath:/ # iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 1143K packets, 51M bytes) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to:192.168.117.156 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.117.156 Chain POSTROUTING (policy ACCEPT 9951 packets, 1367K bytes) pkts bytes target prot opt in out source destination 13102 1193K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 27740 packets, 3290K bytes) pkts bytes target prot opt in out source destination Does this looks good? Because it still doesn't work..and the pc does accept telnet ip 80... In my firewall, eth0 is my internal network card and eth1 the external network card, connected to my DSL modem/router which forwards everything to the ip of the external interface. Edited July 8, 2004 by johanl Quote Link to comment Share on other sites More sharing options...
streeter Posted July 8, 2004 Report Share Posted July 8, 2004 This is forwarding all http traffic coming in on eth0 to your webserver - I assume you want this to be eth1... So the rule needs to be iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.117.156 You could also use eth+ for all ethernet interfaces You will also need to enable forwarding with net.ipv4.ip_forward=1 in /etc/sysctl.conf Chris Quote Link to comment Share on other sites More sharing options...
johanl Posted July 8, 2004 Author Report Share Posted July 8, 2004 Well, my firewall is running SuSe 9.0, there is no sysctl.conf on that system. I also did this: iptables --table nat -I PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.117.156 But it didn't make any difference. The new rules (tcp and udp) are above the older ones where I used eth0. Quote Link to comment Share on other sites More sharing options...
streeter Posted July 8, 2004 Report Share Posted July 8, 2004 Don't know about Suse, so probably can't help - anybody else? You could try echo 1 > /proc/sys/net/ipv4/ip_forward - does the same thing (may already be set - have a look). Chris Quote Link to comment Share on other sites More sharing options...
johanl Posted July 8, 2004 Author Report Share Posted July 8, 2004 How can I delete those old unnecessary rules btw? Quote Link to comment Share on other sites More sharing options...
streeter Posted July 8, 2004 Report Share Posted July 8, 2004 If rebooting's not an option, run the same command with the -D switch instead of -A or -I. You can also do it by number: "iptables -t nat -D PREROUTING 1" for instance. See man iptables and the netfilter howtos - if you are setting up or altering an internet facing firewall manually (or at all for that matter) you really ought to read up on iptables/netfilter. Chris Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.