Home Forums Articles Downloads Hosting Freebies Jobs
Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
New to Linux Forums? Register here for free!
    Linux Forums > GNU Linux Zone > Servers > [SOLVED] Problem with port FORWARDING

Forgot Password?
 Servers   Anything server related, Apache, MySQL, Samba, server security, sendmail, exim, etc

Site Navigation
Linux Articles
Linux Forums
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds


Linux Forum Topics
Linux Forums
Your Distro
Linux Resources
GNU Linux Zone
The Community
Closed Thread
 
Thread Tools Display Modes
Old 05-20-2008   #1 (permalink)
Just Joined!
 
Join Date: Sep 2007
Posts: 7
Question [SOLVED] Problem with port FORWARDING
I have the following problem.
I want to forward connections from port 8080 on my external server to port 80 on my internal server.
Two lines below don't work.
iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2 :80
iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT

where eth1 is the external interface of the gateway system (eth0 is internal). xxx.xxx.xxx.xxx is my static external IP address of the gateway and 192.168.1.2 is the ip address of the internal server. Gateway system is Debian 4 and internal server uses windows vista.
I use PPPoEd to provide Internet to internal computer.

I read that on the internal machine the gateway must be set to the internal IP of the external machine but I don't know how to set the gateway because the PPPoEd set it to nothing (in status window of pppoe connection in vista Default Gateway field is blank).

This is script that I use:
EXT=eth1
INT=eth0

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INT -o $EXT -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

iptables -A FORWARD -i $EXT -o $INT -j REJECT

iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1
iptables -t mangle -A POSTROUTING -s 192.168.1.0/24 -o $EXT -j TTL --ttl-set 64

iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2:80
iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT


If someone has an idea why this port forwarding isn't working please help!
Thanks in advance!
No_root_No_cry is offline  


Old 05-22-2008   #2 (permalink)
Linux Newbie
 
Join Date: May 2008
Location: NYC, moved from KS & MO
Posts: 244
It seems you got a routing problem here. To confirm that, run command "route -n" and if you don't see any lines starts with "0.0.0.0", you http box doesn't not know how to route traffic to the Internet. (The http request from the Internet can reach it though even without a default route.) You need to add your gateway's internal ip as its default route:

route add default gw INTERNAL_IP_OF_GATEWAY

also make sure the value in /proc/sys/net/ipv4/ip_forward is 1, otherwise run the following command:

echo "1" > /proc/sys/net/ipv4/ip_forward

and change (or add) the following line in /etc/sysctl.conf
net.ipv4.ip_forward=1
secondmouse is offline  
Old 05-22-2008   #3 (permalink)
Just Joined!
 
Join Date: Sep 2007
Posts: 7
Complete situation

xxx.xxx.xxx.xxx - my external IP
xxx.xxx.xxx.0 - ISP network
xxx.xxx.xxx.1 - ISP gateway
dns.dns.dns.dns - ISP DNS

10.11.12.0 - my local (internal) network
10.11.12.13 - my internal IP (Debian machine, the router)

10.11.12.14 - my other computer (vista machine, to which I want to forward packets)

eth0 - internal interface (local network)
eth1 - external interface

in /proc/sys/net/ipv4/ip_forward
1

in /etc/sysctl.conf
net.ipv4.conf.default.forwarding=1
net.ipv4.ip_forward = 1


ifconfig -a

Code:
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
		inet addr:10.11.12.13  Bcast:10.11.12.255  Mask:255.255.255.0
		UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		RX packets:3997 errors:0 dropped:0 overruns:69 frame:0
		TX packets:4965 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:1000 
		RX bytes:652783 (637.4 KiB)  TX bytes:4246737 (4.0 MiB)
		Interrupt:177 Base address:0x4c00 
	
	eth1      Link encap:Ethernet  HWaddr yy:yy:yy:yy:yy:yy  
		inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.255  Mask:255.255.255.0
		UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		RX packets:21830 errors:0 dropped:0 overruns:0 frame:0
		TX packets:6528 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:1000 
		RX bytes:6875496 (6.5 MiB)  TX bytes:1152166 (1.0 MiB)
		Interrupt:169 Base address:0xd800 
	
	lo        Link encap:Local Loopback  
		inet addr:127.0.0.1  Mask:255.0.0.0
		inet6 addr: ::1/128 Scope:Host
		UP LOOPBACK RUNNING  MTU:16436  Metric:1
		RX packets:4046 errors:0 dropped:0 overruns:0 frame:0
		TX packets:4046 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:0 
		RX bytes:1270416 (1.2 MiB)  TX bytes:1270416 (1.2 MiB)
	
	sit0      Link encap:IPv6-in-IPv4  
		NOARP  MTU:1480  Metric:1
		RX packets:0 errors:0 dropped:0 overruns:0 frame:0
		TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:0 
		RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)



route -n

Code:
Kernel IP routing table
	Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
	xxx.xxx.xxx.0	0.0.0.0         255.255.255.0	U     0      0        0 eth1
	10.11.12.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
	0.0.0.0         xxx.xxx.xxx.1	0.0.0.0         UG    0      0        0 eth1

I use this script:

Code:
EXT=eth1 
	INT=eth0 
	
	iptables -F 
	iptables -t nat -F 
	iptables -t mangle -F 
	iptables -X 
	
	# Always accept loopback traffic
	iptables -A INPUT -i lo -j ACCEPT 
	
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
	iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT 
	iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT 
	
	# Accept outgoing packets from internal network
	iptables -A FORWARD -i $INT -o $EXT -j ACCEPT 
	
	iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE 
	
	# TTL settings
	iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1 
	iptables -t mangle -A POSTROUTING -s 10.11.12.0/24 -o $EXT -j TTL --ttl-set 64 
	
	# port 8080 to port 80
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 10.11.12.14:80
	iptables -A FORWARD -p tcp -i eth1 -d 10.11.12.14 --dport 80 -j ACCEPT


iptables -L -n

Code:
Chain INPUT (policy ACCEPT)
	target     prot opt source               destination         
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state NEW 
	
	Chain FORWARD (policy ACCEPT)
	target     prot opt source               destination         
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
	ACCEPT     tcp  --  0.0.0.0/0            10.11.12.14         tcp dpt:80 
	
	Chain OUTPUT (policy ACCEPT)
	target     prot opt source               destination


iptables -t nat -L -n

Code:
Chain PREROUTING (policy ACCEPT)
	target     prot opt source               destination         
	DNAT       tcp  --  0.0.0.0/0            xxx.xxx.xxx.xxx        tcp dpt:8080 to:10.11.12.14:80 
	
	Chain POSTROUTING (policy ACCEPT)
	target     prot opt source               destination         
	MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           
	
	Chain OUTPUT (policy ACCEPT)
	target     prot opt source               destination


iptables -t mangle -L -n

Code:
Chain PREROUTING (policy ACCEPT)
	target     prot opt source               destination         
	TTL        0    --  0.0.0.0/0            0.0.0.0/0           TTL increment by 1 
	
	Chain INPUT (policy ACCEPT)
	target     prot opt source               destination         
	
	Chain FORWARD (policy ACCEPT)
	target     prot opt source               destination         
	
	Chain OUTPUT (policy ACCEPT)
	target     prot opt source               destination         
	
	Chain POSTROUTING (policy ACCEPT)
	target     prot opt source               destination         
	TTL        0    --  10.11.12.0/24        0.0.0.0/0           TTL set to 64


the internal machine (which use vista)

ipconfig -all

Code:
Ethernet adapter Local Area Connection:

	Connection-specific DNS Suffix  . : 
	Description . . . . . . . . . . . : 10/100 Ethernet
	Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
	DHCP Enabled. . . . . . . . . . . : No
	Autoconfiguration Enabled . . . . : Yes
	IPv4 Address. . . . . . . . . . . : 10.11.12.14(Preferred) 
	Subnet Mask . . . . . . . . . . . : 255.255.255.0
	Default Gateway . . . . . . . . . : 10.11.12.13
	DNS Servers . . . . . . . . . . . : dns.dns.dns.dns
	NetBIOS over Tcpip. . . . . . . . : Enabled

when I type http://10.11.12.14:80 I see index.html on the internal machine
when I type http://xxx.xxx.xxx.xxx:80 I see index.html on the external machine
when I type http://xxx.xxx.xxx.xxx:8080 I see index.html on the external machine again, but not index.html on the internal machine
(my external machine listen on both 80 and 8080 ports, the internal - only on 80)

I think there is a problem with this line in routing table
10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
No_root_No_cry is offline  
Old 05-22-2008   #4 (permalink)
Linux Newbie
 
Join Date: May 2008
Location: NYC, moved from KS & MO
Posts: 244
I don't see anything wrong with
"10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0" in the routing table. Just want to point out that there are only a few rules that matter in your iptables script because the default policy is [ by default ] ACCEPT. To troubleshoot, start by simplifying the script to
Code:
EXT=eth1 
INT=eth0
iptables -F 
iptables -t nat -F 
iptables -t mangle -F
iptables -t nat -A PREROUTING -p tcp -i $EXT --dport 8080 -j DNAT --to 10.11.12.14:80
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
This script has pretty much the same effect as yours except it's simpler.

Secondly, find out if your ISP is blocking port 8080. If so, try to use other ports.

To test if the forwarding is really working, you need to send http request to your external machine's external ip on 8080 from a network other than yours. Usually I use telnet to do the job. In your situation:
Code:
telnet xxx.xxx.xxx.xxx 8080
You said your external machine listens on port 8080. I think you meant it forwards traffic requests that arrive at the external machine on port 8080 to your internal machine, right?
secondmouse is offline  
Old 05-23-2008   #5 (permalink)
Just Joined!
 
Join Date: Sep 2007
Posts: 7
You are right when the address is loaded from the Internet the redirecting works. Thank you, and sorry for lamer's question!
No_root_No_cry is offline  
Closed Thread

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Free Magazines
Run Your Own Web Server Using Linux & Apache - Free 191 Page Preview
Learn about everything you'll need to build and maintain your Linux servers, and to deploy Web applications to them.
subscribe
Open Source Security Myths Dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization
subscribe
InformationWeek
InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology.
subscribe



All times are GMT. The time now is 12:02 PM.





Advertise About Us Contact Us Write For Us Archive Top
© 2000 - 2009 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.3.0 RC2