Find the answer to your Linux question:
Results 1 to 3 of 3
Dear all, I have a firewall machine running Slackware 10.1. It had a fix ip address, (ex 1.2.3.4) and it connected to a local LAN. so the config is eth0, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2004
    Posts
    22

    NAT not working but the setting is correct! Thx


    Dear all,

    I have a firewall machine running Slackware 10.1. It had a fix ip address, (ex 1.2.3.4) and it connected to a local LAN. so the config is
    eth0, 192.168.1.1
    eth1, 1.2.3.4

    Now I open a new port 8765 on eth1 and forward into local LAN 192.16.1.2.
    I did the following
    Code:
    iptables -A INPUT -i eth1 -p tcp --dport 8765 -j ACCEPT (accept data from port 8765)
    iptables -t nat -A PREROUTING -p tcp -i eth1 -d 1.2.3.4 --dport 8765 -j DNAT --to 192.168.1.2:80 (forward msg from 1.2.3.4:8765 to 192.168.1.2:80).
    After, I check with "iptables -L -t nat"
    Code:
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    DNAT       tcp  --  anywhere             1.2.3.4 dpt:6908 to:192.168.1.2:80
    It seem ok. but when I open the URL on firefox it failed, ie also failed
    Code:
     
    Unable to connect
    Firefox can't establish a connection to the server at 1.2.3.4:8765.
    Now, the firewall setting is correct and seem work fine, but why I can't connect to local machine 192.168.1.2, but when I connect http://192.168.1.2:80 is work fine. How can I check the forwarding is correct from 1.2.3.4 to 192.168.1.2??

    Thanks.
    Regards,

  2. #2
    Just Joined!
    Join Date
    Oct 2004
    Posts
    22
    Dear all,

    I do a lab about this issue...

    I build two linux system:

    server
    OS: Fedora Core 5
    ETH0: 192.168.80.195
    ETH1: 192.168.1.1

    client
    OS: RHEL3
    ETH0: 192.168.1.2
    SERVICE: Httpd

    First, using a cross cable to connect the client(eth0) and server(eth1), those can ping, is connected!
    Now, I write a simple script to run on server, to accept the port number 8765 from 192.168.80.195, then using NAT to following the signal from 192.168.80.195:8765 to local LAN machine 192.168.1.2:80.
    The httpd can run on 192.168.1.2 with http://192.168.1.2 on browser
    Now using a machine on segment 192.168.80.x to type URL http://192.168.80.195:8765 it will have error showed as following, the computer and the this testing server is on same segment, it can ping to each other.
    Code:
    The connection has timed out
    The server at 192.168.80.195 is taking too long to respond.
    And I check the server's iptables setting, it seem correct
    Code:
    [root@localhost ~]# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    DNAT       tcp  --  anywhere             192.168.80.195      tcp dpt:ultraseek-http to:192.168.1.2:80
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    The problem is the same as I ask before, how can I fix this problem?? Thanks.

    Here is the script that I used to test:
    Code:
    #!/bin/sh
    
    # insert modules
    echo "1" > /proc/sys/net/ipv4/ip_forward
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    
    # clear rule
    service iptables restart
    iptables -X
    iptables -F
    iptables -X -t nat
    iptables -F -t nat
    
    # reset rule
    iptables -A INPUT -i 192.168.80.195 -p tcp --dport 8765 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.80.195 --dport 8765 -j DNAT --to 192.168.1.2:80

    Regards,
    Bluesheet

  3. #3
    Linux Newbie framp's Avatar
    Join Date
    Jul 2006
    Location
    Stuttgart, Germany
    Posts
    240
    Your target IP is 192.168.1.2 - which is a remote system - not the local system. An INPUT rule applies to the local system. Use a FORWARD rule and it should work
    "Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Benedict Torvalds

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •