This is a trivial question; I have done this many times before, but I must be missing something here and just can't see what. So, I have a firewall where eth0 faces the external network (192.168.42.0/24) and eth1 the internal one (10.0.0.0/24). Now, I want to have a machine in the external net access, through port 2424, host 10.0.0.20 in internal network, at the same port since I am lazy. So I have iptables -A FORWARD -i eth0 -o eth1 -m comment --comment "internet (eth0) to internal subnet (eth1) " -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp --dport 2424 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 2424 -j DNAT --to-destination 10.0.0.20:2424 And I am not detecting any traffic on that port in 10.0.0.20 (I used netcat to listen at that port). Could the rest of my firewall rules be interfering with that? Or could it be something else; they are all in a vm server, so I want to verify first my iptable rules make sense. For the sake of completeness, I have included my current firewall rules below: # Generated by iptables-save v1.4.10 on Wed Aug 8 11:38:31 2012 *mangle :PREROUTING ACCEPT [1367372:206923329] :INPUT ACCEPT [660972:49675926] :FORWARD ACCEPT [706400:157247403] :OUTPUT ACCEPT [658176:163253429] :POSTROUTING ACCEPT [1364576:320500832] COMMIT # Completed on Wed Aug 8 11:38:31 2012 # Generated by iptables-save v1.4.10 on Wed Aug 8 11:38:31 2012 *nat :PREROUTING ACCEPT [660101:48069054] :INPUT ACCEPT [643521:47000112] :OUTPUT ACCEPT [8489:647170] :POSTROUTING ACCEPT [8489:647170] -A PREROUTING -i eth0 -p tcp -m tcp --dport 2424 -j DNAT --to-destination 10.0.0.20:2424 -A POSTROUTING -s 10.0.0.0/24 -o eth0 -m comment --comment "NAT for internal network" -j SNAT --to-source 192.168.42.90 -A POSTROUTING -m comment --comment "Loopback support" -m mark --mark 0xd001 -j SNAT --to-source 192.168.42.90 COMMIT # Completed on Wed Aug 8 11:38:31 2012 # Generated by iptables-save v1.4.10 on Wed Aug 8 11:38:31 2012 *filter :INPUT DROP [2564:82048] :FORWARD DROP [0:0] :OUTPUT ACCEPT [8489:647170] :SERVICES - [0:0] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow existing connections or their relatives" -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -m comment --comment "Only allow 1 ping per sec" -j ACCEPT -A INPUT -i lo -m comment --comment "allow all localhost traffic" -j ACCEPT -A INPUT -s 10.0.0.0/24 -m comment --comment "Allow internal network traffic" -j ACCEPT -A INPUT -j SERVICES -A INPUT -i eth0 -p tcp -m tcp --dport 2424 -m state --state NEW,ESTABLISHED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "always allow related/established connections" -j ACCEPT -A FORWARD -i eth0 -o eth1 -m comment --comment "internet (eth0) to internal subnet (eth1) " -j ACCEPT -A FORWARD -i eth1 -o eth0 -m comment --comment "internal subnet (eth1) to internet (eth0)" -j ACCEPT -A FORWARD -i eth1 -o eth1 -m comment --comment "allow stuff looping back to itself on internal subnet" -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "SSH Server (sshd)" -j ACCEPT COMMIT # Completed on Wed Aug 8 11:38:31 2012 sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
