NAT not working but the setting is correct! Thx

[bluesheet]

Dear all,

I have a firewall machine running Slackware 10.1. It had a fix ip address, (ex 1.2.3.4) and it connected to a local LAN. so the config is
eth0, 192.168.1.1
eth1, 1.2.3.4

Now I open a new port 8765 on eth1 and forward into local LAN 192.16.1.2.
I did the following

Code:

iptables -A INPUT -i eth1 -p tcp --dport 8765 -j ACCEPT (accept data from port 8765)
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 1.2.3.4 --dport 8765 -j DNAT --to 192.168.1.2:80 (forward msg from 1.2.3.4:8765 to 192.168.1.2:80).

After, I check with "iptables -L -t nat"

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             1.2.3.4 dpt:6908 to:192.168.1.2:80

It seem ok. but when I open the URL on firefox it failed, ie also failed

Code:

 
Unable to connect
Firefox can't establish a connection to the server at 1.2.3.4:8765.

Now, the firewall setting is correct and seem work fine, but why I can't connect to local machine 192.168.1.2, but when I connect http://192.168.1.2:80 is work fine. How can I check the forwarding is correct from 1.2.3.4 to 192.168.1.2??

Thanks.
Regards,

[bluesheet]

Dear all,

I do a lab about this issue...

I build two linux system:

server
OS: Fedora Core 5
ETH0: 192.168.80.195
ETH1: 192.168.1.1

client
OS: RHEL3
ETH0: 192.168.1.2
SERVICE: Httpd

First, using a cross cable to connect the client(eth0) and server(eth1), those can ping, is connected!
Now, I write a simple script to run on server, to accept the port number 8765 from 192.168.80.195, then using NAT to following the signal from 192.168.80.195:8765 to local LAN machine 192.168.1.2:80.
The httpd can run on 192.168.1.2 with http://192.168.1.2 on browser
Now using a machine on segment 192.168.80.x to type URL http://192.168.80.195:8765 it will have error showed as following, the computer and the this testing server is on same segment, it can ping to each other.

Code:

The connection has timed out
The server at 192.168.80.195 is taking too long to respond.

And I check the server's iptables setting, it seem correct

Code:

[root@localhost ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             192.168.80.195      tcp dpt:ultraseek-http to:192.168.1.2:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The problem is the same as I ask before, how can I fix this problem?? Thanks.

Here is the script that I used to test:

Code:

#!/bin/sh

# insert modules
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# clear rule
service iptables restart
iptables -X
iptables -F
iptables -X -t nat
iptables -F -t nat

# reset rule
iptables -A INPUT -i 192.168.80.195 -p tcp --dport 8765 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.80.195 --dport 8765 -j DNAT --to 192.168.1.2:80

Regards,
Bluesheet

[framp]

Your target IP is 192.168.1.2 - which is a remote system - not the local system. An INPUT rule applies to the local system. Use a FORWARD rule and it should work