I just did this a couple days ago, so this is from my shell history.
This is on the gateway host, running rhel 5 that sits on a private
and public network. The default gateway on all the private network
hosts, points to this host.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
service iptables save
On Dec 19, 2007, at 3:42 PM, Steven Buehler wrote:
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
bounces@xxxxxxxxxx] On Behalf Of Steven Buehler
Sent: Wednesday, December 19, 2007 1:13 PM
To: 'General Red Hat Linux discussion list'
Subject: RE: Port Forwarding
On Dec 19, 2007, at 9:43 AM, Steven Buehler wrote:
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
bounces@xxxxxxxxxx] On Behalf Of Troy Amburg
Sent: Wednesday, December 19, 2007 11:34 AM
To: General Red Hat Linux discussion list
Subject: Re: Port Forwarding
Do you have a traceroute from Machine1 to Machine2? Also, is the
default route set correctly on Machine1?
On Dec 19, 2007, at 9:07 AM, Steven Buehler wrote:
I am trying to do port forwarding and I just can't seem to get it
to work.
I hope that someone can help.
Machine 1 is running RHEL AS 4.4 with the 2.6.9-42.0.2.ELsmp
kernel.
iptables has been running as my firewall since I set it up.
I am trying to get anything that comes in to port 3389 on
"Machine
1" to go
to "Machine2" at a different location. Lets say for this that
the
IP of
"Machine1" is 70.70.70.70 and the remote machine ("Machine 2")
that
I want
to forward to is 209.209.209.209. I am assuming that I don't
have
to do
anything on "Machine2" except make sure the firewall for that
port
is opened
to "Machine 1".
I have done the following on "Machine 1":
echo 1 > /proc/sys/net/ipv4/ip_forward
Here is my /etc/sysconfig/iptables file from "Machine 1". This
is
not the
one that I would normally use because it is to open, but am for
testing.
####################
# Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
*nat
:PREROUTING ACCEPT [3:536]
:POSTROUTING ACCEPT [9:635]
:OUTPUT ACCEPT [8:583]
-A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination
209.209.209.209:80
COMMIT
# Completed on Wed Dec 19 10:50:11 2007
# Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
*mangle
:PREROUTING ACCEPT [318:24902]
:INPUT ACCEPT [312:24214]
:FORWARD ACCEPT [3:152]
:OUTPUT ACCEPT [276:32613]
:POSTROUTING ACCEPT [279:32765]
COMMIT
# Completed on Wed Dec 19 10:50:11 2007
# Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [276:32613]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-
level
7
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353
-j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-
prohibited
COMMIT
# Completed on Wed Dec 19 10:50:11 2007
####################
Thanks
Steve
A traceroute shows no problems. Goes to the remote machine just
fine. I
can also access the port on the remote machine with no problems.
[root@mymachine]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use
Iface
70.70.70.0 0.0.0.0 255.255.255.0 U 0
0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0
0 0 eth0
0.0.0.0 70.70.70.175 0.0.0.0 UG 0
0 0 eth0
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
bounces@xxxxxxxxxx] On Behalf Of Troy Amburg
Sent: Wednesday, December 19, 2007 11:49 AM
To: General Red Hat Linux discussion list
Subject: Re: Port Forwarding
So you can traceroute from Machine1 to Machine2 without any problem,
and you can telnet to the port in question, from Machine1 to
Machine2? If that's the case, I guess I don't understand what's not
working.
Correct. I have tried setting up port forwarding on several
servers
this way and have never been able to get it to work. Some of the
machines
are RHEL 4.x and some are 5.x. Selinux is not running on any of the
machines and I can go from Machine1 to the port I want on Machine2
with
no
problem. I only have a problem when it comes to forwarding the
ports.
All installations and upgrades are done using up2date/yum so they
are stock rpms. I have searched the internet before resorting to
this
list
and always come up with the same answers, run:
echo 1 > /proc/sys/net/ipv4/ip_forward (which was set to 0 orginally)
iptables -A PREROUTING -t nat -p tcp -m tcp --dport 3389 -j DNAT
--to-destination 209.209.209.209:80
iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s myip here -j ACCEPT
Steve
There has to be something simple that I am missing here. I have 16
servers
and I tried setting up port forwarding on all of them with no
luck. Simply
running the above 3 lines on each one. On the remote machines, I
would even
stop the firewalls altogether so that I was sure that it wasn't
blocking
anything. 3 of the servers are in Kansas, 8 of the servers are in
a Data
Center in Missouri and 5 of the servers are in a Data Center in
Virginia. I
have 2 Ethernet ports on each system, but don't use eth1 on all but
3 of
them. So I never set up these rules to use a second Ethernet
port. Do I
need to use 2 ports? The systems range from Rehat Linux 7.3 to RH
Steve
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
