[SOLVED] Problem with port FORWARDING

[No_root_No_cry]

I have the following problem.
I want to forward connections from port 8080 on my external server to port 80 on my internal server.
Two lines below don't work.
iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2 :80
iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT

where eth1 is the external interface of the gateway system (eth0 is internal). xxx.xxx.xxx.xxx is my static external IP address of the gateway and 192.168.1.2 is the ip address of the internal server. Gateway system is Debian 4 and internal server uses windows vista.
I use PPPoEd to provide Internet to internal computer.

I read that on the internal machine the gateway must be set to the internal IP of the external machine but I don't know how to set the gateway because the PPPoEd set it to nothing (in status window of pppoe connection in vista Default Gateway field is blank).

This is script that I use:
EXT=eth1
INT=eth0

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INT -o $EXT -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

iptables -A FORWARD -i $EXT -o $INT -j REJECT

iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1
iptables -t mangle -A POSTROUTING -s 192.168.1.0/24 -o $EXT -j TTL --ttl-set 64

iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2:80
iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT


If someone has an idea why this port forwarding isn't working please help!
Thanks in advance!

[secondmouse]

It seems you got a routing problem here. To confirm that, run command "route -n" and if you don't see any lines starts with "0.0.0.0", you http box doesn't not know how to route traffic to the Internet. (The http request from the Internet can reach it though even without a default route.) You need to add your gateway's internal ip as its default route:

route add default gw INTERNAL_IP_OF_GATEWAY

also make sure the value in /proc/sys/net/ipv4/ip_forward is 1, otherwise run the following command:

echo "1" > /proc/sys/net/ipv4/ip_forward

and change (or add) the following line in /etc/sysctl.conf
net.ipv4.ip_forward=1

[No_root_No_cry]

Complete situation

xxx.xxx.xxx.xxx - my external IP
xxx.xxx.xxx.0 - ISP network
xxx.xxx.xxx.1 - ISP gateway
dns.dns.dns.dns - ISP DNS

10.11.12.0 - my local (internal) network
10.11.12.13 - my internal IP (Debian machine, the router)

10.11.12.14 - my other computer (vista machine, to which I want to forward packets)

eth0 - internal interface (local network)
eth1 - external interface

in /proc/sys/net/ipv4/ip_forward
1

in /etc/sysctl.conf
net.ipv4.conf.default.forwarding=1
net.ipv4.ip_forward = 1


ifconfig -a

Code:

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
		inet addr:10.11.12.13  Bcast:10.11.12.255  Mask:255.255.255.0
		UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		RX packets:3997 errors:0 dropped:0 overruns:69 frame:0
		TX packets:4965 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:1000 
		RX bytes:652783 (637.4 KiB)  TX bytes:4246737 (4.0 MiB)
		Interrupt:177 Base address:0x4c00 
	
	eth1      Link encap:Ethernet  HWaddr yy:yy:yy:yy:yy:yy  
		inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.255  Mask:255.255.255.0
		UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		RX packets:21830 errors:0 dropped:0 overruns:0 frame:0
		TX packets:6528 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:1000 
		RX bytes:6875496 (6.5 MiB)  TX bytes:1152166 (1.0 MiB)
		Interrupt:169 Base address:0xd800 
	
	lo        Link encap:Local Loopback  
		inet addr:127.0.0.1  Mask:255.0.0.0
		inet6 addr: ::1/128 Scope:Host
		UP LOOPBACK RUNNING  MTU:16436  Metric:1
		RX packets:4046 errors:0 dropped:0 overruns:0 frame:0
		TX packets:4046 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:0 
		RX bytes:1270416 (1.2 MiB)  TX bytes:1270416 (1.2 MiB)
	
	sit0      Link encap:IPv6-in-IPv4  
		NOARP  MTU:1480  Metric:1
		RX packets:0 errors:0 dropped:0 overruns:0 frame:0
		TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
		collisions:0 txqueuelen:0 
		RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

route -n

Code:

Kernel IP routing table
	Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
	xxx.xxx.xxx.0	0.0.0.0         255.255.255.0	U     0      0        0 eth1
	10.11.12.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
	0.0.0.0         xxx.xxx.xxx.1	0.0.0.0         UG    0      0        0 eth1

I use this script:

Code:

EXT=eth1 
	INT=eth0 
	
	iptables -F 
	iptables -t nat -F 
	iptables -t mangle -F 
	iptables -X 
	
	# Always accept loopback traffic
	iptables -A INPUT -i lo -j ACCEPT 
	
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
	iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT 
	iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT 
	
	# Accept outgoing packets from internal network
	iptables -A FORWARD -i $INT -o $EXT -j ACCEPT 
	
	iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE 
	
	# TTL settings
	iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1 
	iptables -t mangle -A POSTROUTING -s 10.11.12.0/24 -o $EXT -j TTL --ttl-set 64 
	
	# port 8080 to port 80
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 10.11.12.14:80
	iptables -A FORWARD -p tcp -i eth1 -d 10.11.12.14 --dport 80 -j ACCEPT

iptables -L -n

Code:

Chain INPUT (policy ACCEPT)
	target     prot opt source               destination         
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state NEW 
	
	Chain FORWARD (policy ACCEPT)
	target     prot opt source               destination         
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
	ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
	ACCEPT     tcp  --  0.0.0.0/0            10.11.12.14         tcp dpt:80 
	
	Chain OUTPUT (policy ACCEPT)
	target     prot opt source               destination

iptables -t nat -L -n

Code:

Chain PREROUTING (policy ACCEPT)
	target     prot opt source               destination         
	DNAT       tcp  --  0.0.0.0/0            xxx.xxx.xxx.xxx        tcp dpt:8080 to:10.11.12.14:80 
	
	Chain POSTROUTING (policy ACCEPT)
	target     prot opt source               destination         
	MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           
	
	Chain OUTPUT (policy ACCEPT)
	target     prot opt source               destination

iptables -t mangle -L -n

Code:

Chain PREROUTING (policy ACCEPT)
	target     prot opt source               destination         
	TTL        0    --  0.0.0.0/0            0.0.0.0/0           TTL increment by 1 
	
	Chain INPUT (policy ACCEPT)
	target     prot opt source               destination         
	
	Chain FORWARD (policy ACCEPT)
	target     prot opt source               destination         
	
	Chain OUTPUT (policy ACCEPT)
	target     prot opt source               destination         
	
	Chain POSTROUTING (policy ACCEPT)
	target     prot opt source               destination         
	TTL        0    --  10.11.12.0/24        0.0.0.0/0           TTL set to 64

the internal machine (which use vista)

ipconfig -all

Code:

Ethernet adapter Local Area Connection:

	Connection-specific DNS Suffix  . : 
	Description . . . . . . . . . . . : 10/100 Ethernet
	Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
	DHCP Enabled. . . . . . . . . . . : No
	Autoconfiguration Enabled . . . . : Yes
	IPv4 Address. . . . . . . . . . . : 10.11.12.14(Preferred) 
	Subnet Mask . . . . . . . . . . . : 255.255.255.0
	Default Gateway . . . . . . . . . : 10.11.12.13
	DNS Servers . . . . . . . . . . . : dns.dns.dns.dns
	NetBIOS over Tcpip. . . . . . . . : Enabled

when I type http://10.11.12.14:80 I see index.html on the internal machine
when I type http://xxx.xxx.xxx.xxx:80 I see index.html on the external machine
when I type http://xxx.xxx.xxx.xxx:8080 I see index.html on the external machine again, but not index.html on the internal machine
(my external machine listen on both 80 and 8080 ports, the internal - only on 80)

I think there is a problem with this line in routing table
10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

[secondmouse]

I don't see anything wrong with
"10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0" in the routing table. Just want to point out that there are only a few rules that matter in your iptables script because the default policy is [ by default ] ACCEPT. To troubleshoot, start by simplifying the script to

Code:

EXT=eth1 
INT=eth0
iptables -F 
iptables -t nat -F 
iptables -t mangle -F
iptables -t nat -A PREROUTING -p tcp -i $EXT --dport 8080 -j DNAT --to 10.11.12.14:80
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

This script has pretty much the same effect as yours except it's simpler.

Secondly, find out if your ISP is blocking port 8080. If so, try to use other ports.

To test if the forwarding is really working, you need to send http request to your external machine's external ip on 8080 from a network other than yours. Usually I use telnet to do the job. In your situation:

Code:

telnet xxx.xxx.xxx.xxx 8080

You said your external machine listens on port 8080. I think you meant it forwards traffic requests that arrive at the external machine on port 8080 to your internal machine, right?

[No_root_No_cry]

You are right when the address is loaded from the Internet the redirecting works. Thank you, and sorry for lamer's question!