Re: how to access port forwarded server through internet ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My previous email was not sent to the list >_<

My answer is below.


On Tue, Mar 15, 2011 at 19:29, J. Bakshi <joydeep@xxxxxxxxxxxxxxx> wrote:
> Dear list,
>
> Here is a port forwarding issue. ÂI have a linux router which have two NIC; one facing WAN and the other facing LAN. IP forwarding is active and this box is working as a gateway. This box has LAN IP 192.168.1.1
>
> There is another box (webserver) 192.168.1.2 within the internal network and the router box has port forwarding to access the webserver.
>
> ```````````````````````````
> iptables -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
> iptables -A PREROUTING -t nat -i ${LAN_IFACE} -p tcp --dport 81 -j DNAT --to 192.168.1.2:8080
> iptables -A FORWARD -p tcp -m state --state NEW --dport 81 -i ${LAN_IFACE} -j ACCEPT
> ````````````````````````````
>
> So within LAN I can access the 192.168.1.2 web server through Â192.168.1.1:81 as port forwarding is there. But I can not access the same through internet. If I point at <domain-name>:81 throught internet ; the browser simply reports it can't connect to the service; though the other services running at that very server are quite accessible through internet. Have I missed something in my firewall rule ? Could anyone give any clue please ?
>
> Thanks
> --

You need another iptables rules for the WAN_IFACE

iptables -A PREROUTING -t nat -i ${WAN_IFACE} -p tcp --dport 81 -j
DNAT --to 192.168.1.2:8080

You can combine this new rule with the old rule by dropping the -i
selector. I.e. :

iptables -A PREROUTING -t nat -p tcp --dport 81 -j DNAT --to 192.168.1.2:8080

Next, also add a proper FORWARD rule, since the FORWARD rule will be
processed after NAT takes place:

iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 8080 -j ACCEPT

This rule allows forwarding to the webserver (192.168.1.2) port 8080,
no matter the incoming interface, be it WAN_IFACE or LAN_IFACE. No
need to match the state here.

Finally, remember that since the packets do not actually end up in the
firewall box, you don't need the -A INPUT rule there. It never gets
matched.

Rgds,
--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Google Talk:    pepoluan
Y! messenger: pepoluan
MSN / Live:      pepoluan@xxxxxxxxxxx (do not send email here)
Skype:            pepoluan
More on me:  My LinkedIn Account  My Facebook Account
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux