Cedric Blancher wrote:
Le mercredi 16 février 2005 à 17:58 -0300, Raul I. Becette a écrit :
I am having trouble forwarding ports to internal servers.
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1024 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j DNAT --to $SERV_BIBL:110
works ok when I telnet $PUB_IF 1024. I got redirected to the POP server with no problems.
I should not.
How can I accomplish the port forwarding for the services?
What I want to do is assign ports 1024-1030 to redirect services for $SERV_BIBL, ports 1031-1039 to redirect services for $SERV_ING and so on.
If you DNAT your connexion to $PUB_IF port 1024 to $SERV_BIBL:110, then your FORWARD chain will see a packet to destined to port 110, not 1024. If you just look at Netfilter architecture, you will see FORWARD chain traversal occurs _after_ PREROUTING traversal. Thus, packets are already NDATed and have their destination modified when hitting FORWARD rules.
That's why, in order to accept your DNATed connection, you should have :
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
If it works anyway, it means you must have some kind of overlaping rule that accidentally accepts thoses packets.
Now, going to your script, there's indeed a rule that accepts destination port 110 whatever their destination is :
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
So your stuff works, but that's an accident !
Why is an accident?
TIA
--
----------------------------------------------------------------- Raul I. Becette E-mail: raulbecette@xxxxxxxxxx REPAC, Red Patagonica de Comunicaciones Univ. Nac. de la Patagonia San Juan Bosco Ciudad Universitaria - Km.4. 9000 - Comodoro Rivadavia - Chubut Tel/Fax : (0297) - 4550073 ------------------------------------------------------------------
