IPTables port forward problem!

[mistayoda]

Hello! I'm having a weird problem with simply forwarding port 80 to another machine. I have two machines, web(85.1.1.1) & web2(85.1.1.2), web2 is forwarding to web. The weird part is how it works only under certain circumstances, in the past I've never had problems. Here is an example of what happens in order:

web2: Begin to port forward
web2 shell> modprobe iptable_nat
web2 shell> echo 1 > /proc/sys/net/ipv4/ip_forward
web2 shell> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
web2 shell> iptables -t nat -A PREROUTING -i eth0 -d 85.1.1.2 -p tcp --dport 80 -j DNAT --to 85.1.1.1

my home box: Try to connect thru web2 forwarding but fails.
homebox shell> telnet web2 80
Trying 85.1.1.2...
telnet: connect to address 85.1.1.2: Connection refused
telnet: Unable to connect to remote host: Connection refused

web2: Open a socket from the forwarding machine to the destination
web2 shell> telnet web 80
Trying 85.1.1.1...
Connected to 85.1.1.1 (85.1.1.1).
Escape character is '^]'.

my home box: Port forwarding successfully works now !?
homebox shell> telnet 85.1.1.2 80
Trying 85.1.1.2...
Connected to 85.1.1.2 (85.1.1.2).
Escape character is '^]'.

wait 30 minutes....

my home box: Try to connect thru web2 forwarding but fails now
homebox shell> telnet web2 80
Trying 85.1.1.2...
telnet: connect to address 85.1.1.2: Connection refused
telnet: Unable to connect to remote host: Connection refused

Now if I open a telnet connection between web2 -> web:80 again it will work again, but just as before only for a short duration.

Can anybody please explain to me why it works after I open a telnet connection to the machine it's forwarding to? I'm pulling my hair out because it just doesn't make any sense to me. It has nothing to do with the web server as I've tested on multiple open ports with the same result. Thanks in advance for any help!

[vigour]

I suggest you analyze the traffic with tcpdump and see where it brakes.

One thing must be present in order for your setup to work.
Is 85.1.1.2 using 85.1.1.1 as gateway?

If not then the returned packets will not reach you.

I suggest you use the following setup just to be sure it will work:

web2 shell> iptables -t nat -A POSTROUTING -d 85.1.1.1 -j MASQUERADE
web2 shell> iptables -t nat -A PREROUTING -i eth0 -d 85.1.1.2 -p tcp --dport 80 -j DNAT --to 85.1.1.1

Thus you'll be sure that the packets between your host and 85.1.1.1 will be NATed behind 85.1.1.2, which definitely has connection to 85.1.1.1

Cheers,
Ventsi

[Orrbit]

vigour, you rock! I've spent hours and hours trying to figure out why my port forwarding wasn't working, I've read just about every how-to, faq, tutorial, man page, etc with no success at all. You had the answer! I just joined this forum to tell you how thankful I am, I really appreciate it!
-Orrbit

[vigour]

I am glad I was able to help you

Take care