My previous email was not sent to the list >_< My answer is below. On Tue, Mar 15, 2011 at 19:29, J. Bakshi <joydeep@xxxxxxxxxxxxxxx> wrote: > Dear list, > > Here is a port forwarding issue. ÂI have a linux router which have two NIC; one facing WAN and the other facing LAN. IP forwarding is active and this box is working as a gateway. This box has LAN IP 192.168.1.1 > > There is another box (webserver) 192.168.1.2 within the internal network and the router box has port forwarding to access the webserver. > > ``````````````````````````` > iptables -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT > iptables -A PREROUTING -t nat -i ${LAN_IFACE} -p tcp --dport 81 -j DNAT --to 192.168.1.2:8080 > iptables -A FORWARD -p tcp -m state --state NEW --dport 81 -i ${LAN_IFACE} -j ACCEPT > ```````````````````````````` > > So within LAN I can access the 192.168.1.2 web server through Â192.168.1.1:81 as port forwarding is there. But I can not access the same through internet. If I point at <domain-name>:81 throught internet ; the browser simply reports it can't connect to the service; though the other services running at that very server are quite accessible through internet. Have I missed something in my firewall rule ? Could anyone give any clue please ? > > Thanks > -- You need another iptables rules for the WAN_IFACE iptables -A PREROUTING -t nat -i ${WAN_IFACE} -p tcp --dport 81 -j DNAT --to 192.168.1.2:8080 You can combine this new rule with the old rule by dropping the -i selector. I.e. : iptables -A PREROUTING -t nat -p tcp --dport 81 -j DNAT --to 192.168.1.2:8080 Next, also add a proper FORWARD rule, since the FORWARD rule will be processed after NAT takes place: iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 8080 -j ACCEPT This rule allows forwarding to the webserver (192.168.1.2) port 8080, no matter the incoming interface, be it WAN_IFACE or LAN_IFACE. No need to match the state here. Finally, remember that since the packets do not actually end up in the firewall box, you don't need the -A INPUT rule there. It never gets matched. Rgds, -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com Google Talk: pepoluan Y! messenger: pepoluan MSN / Live: pepoluan@xxxxxxxxxxx (do not send email here) Skype: pepoluan More on me: My LinkedIn Account My Facebook Account -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html