Re: forwarding on the same NIC

alucard@xxxxxxxxx · Mon, 10 May 2004 18:09:23 -0400 (VET)

Hi again...

   I did it, and nothing happens, the 2nd webserver is fully operational
and I cant get to it from my server/router. Here's my nmap test:

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
3306/tcp open  mysql

and there's no 8080 port that could be getting packets

And here's my script again... maybe I'm missing something else...

-------------
echo "Borrando posibles reglas anteriores..."
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward a la maquina compaq

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT
--to-destination 10.73.219.77:80
echo 1 > /proc/sys/net/ipv4/ip_forward
-------------

Any sugestions pals?
Thanx again for your great help
Juan

> On Monday 10 May 2004 8:36 pm, alucard@xxxxxxxxx wrote:
>
>> Hi there...
>>
>>    I have been using netfilter for a while and now, I have to integrate
>> some other servers and somehow I can't get it to forward packets.
>
> Change:
>
>> iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
>
> Into:
>
> iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
>
> Remember that PREROUTING (where you are changing the port number) happens
> before FORWARD.
>
> Regards,
>
> Antony.
>
> --
> I don't know, maybe if we all waited then cosmic rays would write all our
> software for us. Of course it might take a while.
>
>  - Ron Minnich, Los Alamos National Laboratory
>
>                                                      Please reply to the
> list;
>                                                            please don't CC
> me.
>
>
>