Cannot get Netfilter to forward to port 80

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm using a Linux system running Netfilter a the primary gateway for
my Internet service.  This includes the use of port forwarding (DNAT)
for accessing some servers.  Right now the servers include FTP (port
21) and HTTP/HTTPS (port 80/443).  It all seems to work nicely with
one notable exception.  I cannot forward anything to port 80.  I've
tried using several different external ports (i.e., 21, 60, 81) but
nothing works.  Verizon is blocking port 80.  Therefore, it does no
good to try it.  If I change my HTTP server to listen on port 60
instead of 80 everything works fine.

I've run network analyzers on both the external (WAN) interface as
well as the LAN segment on which the destination servers are located.
This has confirmed that packets addressed to the respective ports are
being received on the WAN interface but in the case where I attempt
forwarding to port 80 nothing appears on the internal LAN segment.  My
conclusion is that Netfilter is doing something different when 80 is
specified as the target port for DNAT.

Can anyone explain what is going on?

Here is a list showing one configuration of iptables that I tried as
described above (try to forward port 81 to port 80) →

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  10.0.0.0/24          anywhere
drop-and-log-it  all  --  10.0.0.0/24          anywhere
ACCEPT     icmp --  anywhere
pool-71-163-168-209.washdc.fios.verizon.net
ACCEPT     all  --  anywhere
pool-71-163-168-209.washdc.fios.verizon.netstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere
pool-71-163-168-209.washdc.fios.verizon.netstate
NEW,RELATED,ESTABLISHED tcp dpt:ssh
drop-and-log-it  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:ftp state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:81
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:60
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
drop-and-log-it  all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  pool-71-163-168-209.washdc.fios.verizon.net
10.0.0.0/24
ACCEPT     all  --  10.0.0.0/24          10.0.0.0/24
drop-and-log-it  all  --  anywhere             10.0.0.0/24
ACCEPT     all  --  pool-71-163-168-209.washdc.fios.verizon.net
anywhere
drop-and-log-it  all  --  anywhere             anywhere

Chain drop-and-log-it (5 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere
pool-71-163-168-209.washdc.fios.verizon.nettcp dpt:ftp to:10.0.0.12:21
DNAT       tcp  --  anywhere
pool-71-163-168-209.washdc.fios.verizon.nettcp dpt:81 to:10.0.0.12:80
DNAT       tcp  --  anywhere
pool-71-163-168-209.washdc.fios.verizon.nettcp dpt:60 to:10.0.0.12:21
DNAT       tcp  --  anywhere
pool-71-163-168-209.washdc.fios.verizon.nettcp dpt:https
to:10.0.0.12:443

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere           to:71.163.168.209

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux