Marian,
I'm very happy you're online :)
I think I have try the record you mention just now. And I would like to clear what I have done (the scripts I test):
/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to 192.168.1.250
echo 1 > /proc/sys/net/ipv4/ip_foward
Then it's not to work!
At 2011-06-27,"Marian Marinov" <mm@xxxxxxxx> wrote:
>On Monday 27 June 2011 06:50:27 muiz wrote:
>> Dear Marian and all,
>> It seems don't works:
>> /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>> a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>> 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 >
>> /proc/sys/net/ipv4/ip_foward
>
>Yup, its normal not to work... You got the SNAT rule wrong :)
>
>It should be to the IP of the server that is DOING the forwarding...
>
>so
>
>/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0 --to
>192.168.1.250
>
>Marian
>
>>
>>
>> I check the Fedora iptables setting: /etc/sysconfig/iptables files:
>> ...
>>
>> :POSTROUTING ACCEPT [0:0]
>>
>> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
>> a.b.c.d:8080 ....
>>
>> :OUTPUT ACCEPT [0:0]
>>
>> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
>> 8080 -j ACCEPT
>>
>>
>> And more rules I add is :
>> /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j
>> MASQUERADE
>>
>>
>> Then it works! But if I don't use system-config-firewall GUI tools, then
>> how?
>>
>>
>>
>>
>> Thanks very much !
>>
>> At 2011-06-27,"Marian Marinov" <mm@xxxxxxxx> wrote:
>> >On Monday 27 June 2011 00:08:08 muiz wrote:
>> >> Thanks Marian,
>> >> The server only has one IP. I think I should add more iptables records,
>> >> only one NAT record is not enough,isit correct? If yes , then how?
>> >
>> >Huh, I'm sorry yes you need a second rule. So the rules are:
>> >iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>> >a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net
>> >--to 192.168.1.250
>> >echo 1 > /proc/sys/net/ipv4/ip_foward
>> >
>> >The Source NAT(SNAT) rule is needed, cause otherwise the packaets that
>> >reach a.b.c.d will be comming from the ip of the local client not
>> >192.168.1.250 and so 192.168.1.250 will never receive the replies from
>> >a.b.c.d.
>> >Since the packets reach the client directly from a.b.c.d, the client will
>> >simply disregard them and will wait for packets comming from .1.250.
>> >
>> >So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d
>> >will return the answares to the right source.
>> >
>> >Marian
>> >
>> >> 2011-06-26 23:38:58,"Marian Marinov" <mm@xxxxxxxx> wrote:
>> >>
>> >> >On Sunday 26 June 2011 12:53:07 muiz wrote:
>> >> >> Dear all,
>> >> >>
>> >> >> I would like to forward a port to an internet server, but failed.
>> >> >> can you
>> >> >>
>> >> >> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6
>> >> >> Remote server: IP: a.b.c.d Port: 8181
>> >> >>
>> >> >>
>> >> >> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward)
>> >> >> -> a.b.c.d Port: 8181 ----------------------------------------- In
>> >> >> Fedora, I successfully to config the firewall using
>> >> >> system-config-firewall and iptables command: 1. Run
>> >> >> system-config-firewall
>> >> >>
>> >> >> 1.1 open local port 8080
>> >> >> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
>> >> >>
>> >> >> 2. echo 1 > /proc/sys/net/ipv4/ip_foward
>> >> >> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
>> >> >> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> Thanks !
>> >> >
>> >> >You have to use Destination NAT for the job:
>> >> >
>> >> >iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>> >> >a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
>> >> >
>> >> >If you have more then one IPs on the local machine its a good idea to
>> >> >specify the destination -d 192.168.1.250
>> >> >
>> >> >Marian
>> >>
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS@xxxxxxxxxx
>> >> http://lists.centos.org/mailman/listinfo/centos
>
>--
>Best regards,
>Marian Marinov
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
