FAQ: Cannot port forward/DNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
      This is a trivial question; I have done this many times before,
but I must be missing something here and just can't see what. So, I
have a firewall where eth0 faces the external network
(192.168.42.0/24) and eth1 the internal one (10.0.0.0/24). Now, I want
to have a machine in the external net access, through port 2424, host
10.0.0.20 in internal network, at the same port since I am lazy. So I
have

iptables -A FORWARD -i eth0 -o eth1 -m comment --comment "internet
(eth0) to internal subnet (eth1) " -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 2424 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 2424 -j DNAT
--to-destination 10.0.0.20:2424

And I am not detecting any traffic on that port in 10.0.0.20 (I used
netcat to listen at that port). Could the rest of my firewall rules be
interfering with that? Or could it be something else; they are all in
a vm server, so I want to verify first my iptable rules make sense.

For the sake of completeness, I have included my current firewall rules below:

# Generated by iptables-save v1.4.10 on Wed Aug  8 11:38:31 2012
*mangle
:PREROUTING ACCEPT [1367372:206923329]
:INPUT ACCEPT [660972:49675926]
:FORWARD ACCEPT [706400:157247403]
:OUTPUT ACCEPT [658176:163253429]
:POSTROUTING ACCEPT [1364576:320500832]
COMMIT
# Completed on Wed Aug  8 11:38:31 2012
# Generated by iptables-save v1.4.10 on Wed Aug  8 11:38:31 2012
*nat
:PREROUTING ACCEPT [660101:48069054]
:INPUT ACCEPT [643521:47000112]
:OUTPUT ACCEPT [8489:647170]
:POSTROUTING ACCEPT [8489:647170]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2424 -j DNAT
--to-destination 10.0.0.20:2424
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -m comment --comment "NAT for
internal network" -j SNAT --to-source 192.168.42.90
-A POSTROUTING -m comment --comment "Loopback support" -m mark --mark
0xd001 -j SNAT --to-source 192.168.42.90
COMMIT
# Completed on Wed Aug  8 11:38:31 2012
# Generated by iptables-save v1.4.10 on Wed Aug  8 11:38:31 2012
*filter
:INPUT DROP [2564:82048]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8489:647170]
:SERVICES - [0:0]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m comment
--comment "Allow existing connections or their relatives" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec
-m comment --comment "Only allow 1 ping per sec" -j ACCEPT
-A INPUT -i lo -m comment --comment "allow all localhost traffic" -j ACCEPT
-A INPUT -s 10.0.0.0/24 -m comment --comment "Allow internal network
traffic" -j ACCEPT
-A INPUT -j SERVICES
-A INPUT -i eth0 -p tcp -m tcp --dport 2424 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment
"always allow related/established connections" -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m comment --comment "internet (eth0) to
internal subnet (eth1) " -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m comment --comment "internal subnet
(eth1) to internet (eth0)" -j ACCEPT
-A FORWARD -i eth1 -o eth1 -m comment --comment "allow stuff looping
back to itself on internal subnet" -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "SSH Server
(sshd)" -j ACCEPT
COMMIT
# Completed on Wed Aug  8 11:38:31 2012


sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Kernel Development]     [Linux Resources]     [Advanced Routing & Traffice Control]     [Bugtraq]     [Free Internet Dating]     [Yosemite Forum]     [Photos]

Add to Google Powered by Linux