muiz wrote:
Dear all,
Below is my iptables default settings: (only open port 22 and 8080
(webcache))
-------------------------------------------------------------------------------------------------------------
[root@localhost ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:webcache
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-------------------------------------------------------------------------------------------------------------
To Ljubomir:
The remote server a.b.c.d services port 8181. And local server forward
its port 8080 to remote 8181.
At 2011-06-27£¬"Ljubomir Ljubojevic" <office@xxxxxxxx> wrote:
Marian Marinov wrote:
On Monday 27 June 2011 07:15:33 muiz wrote:
Marian, I'm very happy you're online :)I think I have try the record you
mention just now. And I would like to clear what I have done (the scripts
I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080
--to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 >
/proc/sys/net/ipv4/ip_fowardThen it's not to work!
You have to have some other iptables rules that block the traffic since this has
to work.
Marian
At 2011-06-27£¬"Marian Marinov" <mm@xxxxxxxx> wrote:
On Monday 27 June 2011 06:50:27 muiz wrote:
Dear Marian and all,
It seems don't works:
/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 >
/proc/sys/net/ipv4/ip_foward
Yup, its normal not to work... You got the SNAT rule wrong :)
It should be to the IP of the server that is DOING the forwarding...
so
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0
--to 192.168.1.250
Marian
I check the Fedora iptables setting: /etc/sysconfig/iptables files:
...
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
a.b.c.d:8080 ....
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
8080 -j ACCEPT
And more rules I add is :
/sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j
MASQUERADE
Then it works! But if I don't use system-config-firewall GUI tools,
then how?
Thanks very much !
At 2011-06-27£¬"Marian Marinov" <mm@xxxxxxxx> wrote:
On Monday 27 June 2011 00:08:08 muiz wrote:
Thanks Marian,
The server only has one IP. I think I should add more iptables
records, only one NAT record is not enough,isit correct? If yes ,
then how?
Huh, I'm sorry yes you need a second rule. So the rules are:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s
local_ip/local_net --to 192.168.1.250
echo 1 > /proc/sys/net/ipv4/ip_foward
The Source NAT(SNAT) rule is needed, cause otherwise the packaets that
reach a.b.c.d will be comming from the ip of the local client not
192.168.1.250 and so 192.168.1.250 will never receive the replies from
a.b.c.d.
Since the packets reach the client directly from a.b.c.d, the client
will simply disregard them and will wait for packets comming from
.1.250.
So the SNAT rule changes the SOURCE IP of the packets to 1.250 so
a.b.c.d will return the answares to the right source.
Marian
2011-06-26 23:38:58£¬"Marian Marinov" <mm@xxxxxxxx> wrote£º
On Sunday 26 June 2011 12:53:07 muiz wrote:
Dear all,
I would like to forward a port to an internet server, but
failed. can you
help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6
Remote server: IP: a.b.c.d Port: 8181
Forward path: client1(192.168.1.10) -> 192.168.1.250:8080
(forward) -> a.b.c.d Port: 8181
----------------------------------------- In Fedora, I
successfully to config the firewall using
system-config-firewall and iptables command: 1. Run
system-config-firewall
1.1 open local port 8080
1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
2. echo 1 > /proc/sys/net/ipv4/ip_foward
3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
Thanks !
You have to use Destination NAT for the job:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
If you have more then one IPs on the local machine its a good idea
to specify the destination -d 192.168.1.250
Marian
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
Actually, very BIG difference in two scripts is that on Fedora he
redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port
8181!!!
And if correction of the port does not help, then he can try with
additional rule:
-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
Ljubomir
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
Please do not top post, write your answers bellow the text, like us.
This is what you posted:
> I check the Fedora iptables setting: /etc/sysconfig/iptables files:
>
> :POSTROUTING ACCEPT [0:0]
>
> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
> a.b.c.d:8080 ....
>
> :OUTPUT ACCEPT [0:0]
>
> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
> 8080 -j ACCEPT
"--to-destination a.b.c.d:8080" means your Fedora box is redirecting
traffic to remote port 8080, not 8181 like you asked on this list.
Ljubomir
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
