Re: iptables port forwarding not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 27, 2003 at 01:06:05PM -0500, Chris Frederick wrote:

> I need some help with an iptables script.  I'm trying to forward port 80 
> on the Firewall/NAT/Router to another machine inside the firewall.  I've 
> googled for some scripts and found the PREROUTING lines that are needed, 
> but it doesn't seem to work.  The port isn't open on the machine.  I've 
> attached a sample script bellow that sums up what I'm doing.  Any 
> sugestions?
> 
> INET_IP="1.1.1.1"
> INET_IFACE="eth1"
> INET_BROADCAST="1.1.1..255"
> 
> LAN_IP="2.2.2.2"
> LAN_IP_RANGE="2.2.2.0/24"
> LAN_BROADCAST_ADDRESS="2.2.2.255"
> LAN_IFACE="eth0"
> 
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> 
> DNAT_IP_PORT="2.2.2.3:80"
> 
> #Forward the HTTP trafice from the net to the server at 2.2.2.3
> $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP --dport 
> 80 -j DNAT --to $DNAT_IP_PORT
> $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d $INET_IP --dport 80 -j ACCEPT

In PREROUTING you change the dst to 2.2.2.3 but in the forward you allow
1.1.1.1. This is at least one problem you have in your script.

You also say that you get the indication of the port not being open on the
machine. How do you assert this statement?

> On a side note, once I get this working, I'm planning on forwarding
> HTTPS to another machine, and also forwarding SSH on a non-standard port
> to another machine (e.g.  port 999 to 22).  Are there any issues with
> doing this?  Like, say the HTTPS or SSH certs looking like they're
> comming from a different ip and causing errors trying to connect?  Or
> will I get key change errors from the server (since I connect to SSH on
> 22 and 999 on the same ip) every time I connect to the other one?   Or
> am I overthinking this, and it all just works?


ssh will not have a problem but https will, because of the issued cert...

Ramin


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux