Find the answer to your Linux question:
Results 1 to 5 of 5
I have the following problem. I want to forward connections from port 8080 on my external server to port 80 on my internal server. Two lines below don't work. iptables ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2007
    Posts
    14

    Question [SOLVED] Problem with port FORWARDING


    I have the following problem.
    I want to forward connections from port 8080 on my external server to port 80 on my internal server.
    Two lines below don't work.
    iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2 :80
    iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT

    where eth1 is the external interface of the gateway system (eth0 is internal). xxx.xxx.xxx.xxx is my static external IP address of the gateway and 192.168.1.2 is the ip address of the internal server. Gateway system is Debian 4 and internal server uses windows vista.
    I use PPPoEd to provide Internet to internal computer.

    I read that on the internal machine the gateway must be set to the internal IP of the external machine but I don't know how to set the gateway because the PPPoEd set it to nothing (in status window of pppoe connection in vista Default Gateway field is blank).

    This is script that I use:
    EXT=eth1
    INT=eth0

    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT
    iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A FORWARD -i $INT -o $EXT -j ACCEPT

    iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

    iptables -A FORWARD -i $EXT -o $INT -j REJECT

    iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1
    iptables -t mangle -A POSTROUTING -s 192.168.1.0/24 -o $EXT -j TTL --ttl-set 64

    iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2:80
    iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT


    If someone has an idea why this port forwarding isn't working please help!
    Thanks in advance!

  2. #2
    Linux User
    Join Date
    May 2008
    Location
    NYC, moved from KS & MO
    Posts
    251
    It seems you got a routing problem here. To confirm that, run command "route -n" and if you don't see any lines starts with "0.0.0.0", you http box doesn't not know how to route traffic to the Internet. (The http request from the Internet can reach it though even without a default route.) You need to add your gateway's internal ip as its default route:

    route add default gw INTERNAL_IP_OF_GATEWAY

    also make sure the value in /proc/sys/net/ipv4/ip_forward is 1, otherwise run the following command:

    echo "1" > /proc/sys/net/ipv4/ip_forward

    and change (or add) the following line in /etc/sysctl.conf
    net.ipv4.ip_forward=1

  3. #3
    Just Joined!
    Join Date
    Sep 2007
    Posts
    14
    Complete situation

    xxx.xxx.xxx.xxx - my external IP
    xxx.xxx.xxx.0 - ISP network
    xxx.xxx.xxx.1 - ISP gateway
    dns.dns.dns.dns - ISP DNS

    10.11.12.0 - my local (internal) network
    10.11.12.13 - my internal IP (Debian machine, the router)

    10.11.12.14 - my other computer (vista machine, to which I want to forward packets)

    eth0 - internal interface (local network)
    eth1 - external interface

    in /proc/sys/net/ipv4/ip_forward
    1

    in /etc/sysctl.conf
    net.ipv4.conf.default.forwarding=1
    net.ipv4.ip_forward = 1


    ifconfig -a

    Code:
    eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
    		inet addr:10.11.12.13  Bcast:10.11.12.255  Mask:255.255.255.0
    		UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    		RX packets:3997 errors:0 dropped:0 overruns:69 frame:0
    		TX packets:4965 errors:0 dropped:0 overruns:0 carrier:0
    		collisions:0 txqueuelen:1000 
    		RX bytes:652783 (637.4 KiB)  TX bytes:4246737 (4.0 MiB)
    		Interrupt:177 Base address:0x4c00 
    	
    	eth1      Link encap:Ethernet  HWaddr yy:yy:yy:yy:yy:yy  
    		inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.255  Mask:255.255.255.0
    		UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    		RX packets:21830 errors:0 dropped:0 overruns:0 frame:0
    		TX packets:6528 errors:0 dropped:0 overruns:0 carrier:0
    		collisions:0 txqueuelen:1000 
    		RX bytes:6875496 (6.5 MiB)  TX bytes:1152166 (1.0 MiB)
    		Interrupt:169 Base address:0xd800 
    	
    	lo        Link encap:Local Loopback  
    		inet addr:127.0.0.1  Mask:255.0.0.0
    		inet6 addr: ::1/128 Scope:Host
    		UP LOOPBACK RUNNING  MTU:16436  Metric:1
    		RX packets:4046 errors:0 dropped:0 overruns:0 frame:0
    		TX packets:4046 errors:0 dropped:0 overruns:0 carrier:0
    		collisions:0 txqueuelen:0 
    		RX bytes:1270416 (1.2 MiB)  TX bytes:1270416 (1.2 MiB)
    	
    	sit0      Link encap:IPv6-in-IPv4  
    		NOARP  MTU:1480  Metric:1
    		RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    		TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    		collisions:0 txqueuelen:0 
    		RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)



    route -n

    Code:
    Kernel IP routing table
    	Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    	xxx.xxx.xxx.0	0.0.0.0         255.255.255.0	U     0      0        0 eth1
    	10.11.12.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
    	0.0.0.0         xxx.xxx.xxx.1	0.0.0.0         UG    0      0        0 eth1

    I use this script:

    Code:
    EXT=eth1 
    	INT=eth0 
    	
    	iptables -F 
    	iptables -t nat -F 
    	iptables -t mangle -F 
    	iptables -X 
    	
    	# Always accept loopback traffic
    	iptables -A INPUT -i lo -j ACCEPT 
    	
    	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
    	iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT 
    	iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT 
    	
    	# Accept outgoing packets from internal network
    	iptables -A FORWARD -i $INT -o $EXT -j ACCEPT 
    	
    	iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE 
    	
    	# TTL settings
    	iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1 
    	iptables -t mangle -A POSTROUTING -s 10.11.12.0/24 -o $EXT -j TTL --ttl-set 64 
    	
    	# port 8080 to port 80
    	iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 10.11.12.14:80
    	iptables -A FORWARD -p tcp -i eth1 -d 10.11.12.14 --dport 80 -j ACCEPT


    iptables -L -n

    Code:
    Chain INPUT (policy ACCEPT)
    	target     prot opt source               destination         
    	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
    	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state NEW 
    	
    	Chain FORWARD (policy ACCEPT)
    	target     prot opt source               destination         
    	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
    	ACCEPT     tcp  --  0.0.0.0/0            10.11.12.14         tcp dpt:80 
    	
    	Chain OUTPUT (policy ACCEPT)
    	target     prot opt source               destination


    iptables -t nat -L -n

    Code:
    Chain PREROUTING (policy ACCEPT)
    	target     prot opt source               destination         
    	DNAT       tcp  --  0.0.0.0/0            xxx.xxx.xxx.xxx        tcp dpt:8080 to:10.11.12.14:80 
    	
    	Chain POSTROUTING (policy ACCEPT)
    	target     prot opt source               destination         
    	MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           
    	
    	Chain OUTPUT (policy ACCEPT)
    	target     prot opt source               destination


    iptables -t mangle -L -n

    Code:
    Chain PREROUTING (policy ACCEPT)
    	target     prot opt source               destination         
    	TTL        0    --  0.0.0.0/0            0.0.0.0/0           TTL increment by 1 
    	
    	Chain INPUT (policy ACCEPT)
    	target     prot opt source               destination         
    	
    	Chain FORWARD (policy ACCEPT)
    	target     prot opt source               destination         
    	
    	Chain OUTPUT (policy ACCEPT)
    	target     prot opt source               destination         
    	
    	Chain POSTROUTING (policy ACCEPT)
    	target     prot opt source               destination         
    	TTL        0    --  10.11.12.0/24        0.0.0.0/0           TTL set to 64


    the internal machine (which use vista)

    ipconfig -all

    Code:
    Ethernet adapter Local Area Connection:
    
    	Connection-specific DNS Suffix  . : 
    	Description . . . . . . . . . . . : 10/100 Ethernet
    	Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
    	DHCP Enabled. . . . . . . . . . . : No
    	Autoconfiguration Enabled . . . . : Yes
    	IPv4 Address. . . . . . . . . . . : 10.11.12.14(Preferred) 
    	Subnet Mask . . . . . . . . . . . : 255.255.255.0
    	Default Gateway . . . . . . . . . : 10.11.12.13
    	DNS Servers . . . . . . . . . . . : dns.dns.dns.dns
    	NetBIOS over Tcpip. . . . . . . . : Enabled

    when I type http://10.11.12.14:80 I see index.html on the internal machine
    when I type http://xxx.xxx.xxx.xxx:80 I see index.html on the external machine
    when I type http://xxx.xxx.xxx.xxx:8080 I see index.html on the external machine again, but not index.html on the internal machine
    (my external machine listen on both 80 and 8080 ports, the internal - only on 80)

    I think there is a problem with this line in routing table
    10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

  4. #4
    Linux User
    Join Date
    May 2008
    Location
    NYC, moved from KS & MO
    Posts
    251
    I don't see anything wrong with
    "10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0" in the routing table. Just want to point out that there are only a few rules that matter in your iptables script because the default policy is [ by default ] ACCEPT. To troubleshoot, start by simplifying the script to
    Code:
    EXT=eth1 
    INT=eth0
    iptables -F 
    iptables -t nat -F 
    iptables -t mangle -F
    iptables -t nat -A PREROUTING -p tcp -i $EXT --dport 8080 -j DNAT --to 10.11.12.14:80
    iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
    This script has pretty much the same effect as yours except it's simpler.

    Secondly, find out if your ISP is blocking port 8080. If so, try to use other ports.

    To test if the forwarding is really working, you need to send http request to your external machine's external ip on 8080 from a network other than yours. Usually I use telnet to do the job. In your situation:
    Code:
    telnet xxx.xxx.xxx.xxx 8080
    You said your external machine listens on port 8080. I think you meant it forwards traffic requests that arrive at the external machine on port 8080 to your internal machine, right?

  5. #5
    Just Joined!
    Join Date
    Sep 2007
    Posts
    14
    You are right when the address is loaded from the Internet the redirecting works. Thank you, and sorry for lamer's question!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •