Netfilter Port Forwarding Problem

Makara · External Since: Jul 18, 2006 Posts: 2

Hi all,

I have 2 internet connections ip $ipinet1 for other
traffics and $ipinet2 for mail it works properly.
I want to allow the connection from internet connect
to my local web server(172.16.0.4) via $ipinet1 so I
do port forwarding

iptables -A PREROUTING -t nat -i $ifinet1 -d $ipinet1
-p tcp --dport 80 -j DNAT --to 172.16.0.4:80

I allow FORWARD Rule from firewall to my local
webserver

iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p tcp --dport 80 -i $ifinet1 -o
$iflocalnet -j ACCEPT

I don't know why it does work? if you have any idea
please help.

Thanks

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Paolo · External Since: Nov 09, 2004 Posts: 168

On Fri, Apr 27, 2007 at 08:02:43PM -0700, Makara wrote:
> I want to allow the connection from internet connect
> to my local web server(172.16.0.4) via $ipinet1 so I
> do port forwarding

or use redir(1) on the fw machine, eg.

% redir --caddr 172.16.0.4 --cport 80 --lport 80 --transproxy

if you start it from *inetd, you then will be able to [en|dis]able the
service simply by issueing:

% update-inetd --[en|dis]able www

a bit OT but HTH anyway.

--
paolo

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

tomfi · External Since: Jan 16, 2006 Posts: 11

You don't know why it works? Or you don't know why it does not work ?

I think it doesn't work... If you have Internet connected Webserver and
there is requirement to establish a connection over localnetwork to
internet, the webserver try to respond over his internet connection,
because server know diferent way to the Internet then your firewall.

That's why.

Tomfi

Makara napsal(a):
> Hi all,
>
> I have 2 internet connections ip $ipinet1 for other
> traffics and $ipinet2 for mail it works properly.
> I want to allow the connection from internet connect
> to my local web server(172.16.0.4) via $ipinet1 so I
> do port forwarding
>
> iptables -A PREROUTING -t nat -i $ifinet1 -d $ipinet1
> -p tcp --dport 80 -j DNAT --to 172.16.0.4:80
>
> I allow FORWARD Rule from firewall to my local
> webserver
>
> iptables -A FORWARD -m state --state
> RELATED,ESTABLISHED -j ACCEPT
>
> iptables -A FORWARD -p tcp --dport 80 -i $ifinet1 -o
> $iflocalnet -j ACCEPT
>
> I don't know why it does work? if you have any idea
> please help.
>
> Thanks
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Dominik Fahr · External Since: Apr 30, 2007 Posts: 1

Hi!

I have a internet-connection (eth0) and a internal interface (eth1)
my goal is to forward the following tcp-port: 195.x.x.x:5900 =>
192.168.1.6:5900

On Debian/Sarge (Kernel 2.4.27-2-386 / iptables v1.2.11) does it work fine:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 195.x.x.x --dport 5900 -j
DNAT --to 192.168.1.6:5900
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.6 --dport 5900 -j ACCEPT

with nmap, I get the this State on the Port 5900
Port State Service
5900/tcp open vnc

On Debian/Etch (Kernel 2.6.18-4-k7 / iptables v1.3.6), I get the
"filtered"-State and I get connection refused on connecting
Port State Service
5900/tcp filtered vnc

I think the Kernel 2.6 has some different security-settings to Kernel 2.4
Does anybody know a solution for my problem?

best regards

Dom

> -----Ursprüngliche Nachricht-----
> Von: tomfi [mailto:tomfi@volny.cz]
> Gesendet: Montag, 30. April 2007 09:25
> An: Makara
> Cc: debian-firewall.RemoveThis@lists.debian.org
> Betreff: Re: Netfilter Port Forwarding Problem
>
> You don't know why it works? Or you don't know why it does not work ?
>
> I think it doesn't work... If you have Internet connected
> Webserver and
> there is requirement to establish a connection over localnetwork to
> internet, the webserver try to respond over his internet connection,
> because server know diferent way to the Internet then your firewall.
>
> That's why.
>
> Tomfi
>
>
> Makara napsal(a):
> > Hi all,
> >
> > I have 2 internet connections ip $ipinet1 for other
> > traffics and $ipinet2 for mail it works properly.
> > I want to allow the connection from internet connect
> > to my local web server(172.16.0.4) via $ipinet1 so I
> > do port forwarding
> >
> > iptables -A PREROUTING -t nat -i $ifinet1 -d $ipinet1
> > -p tcp --dport 80 -j DNAT --to 172.16.0.4:80
> >
> > I allow FORWARD Rule from firewall to my local
> > webserver
> >
> > iptables -A FORWARD -m state --state
> > RELATED,ESTABLISHED -j ACCEPT
> >
> > iptables -A FORWARD -p tcp --dport 80 -i $ifinet1 -o
> > $iflocalnet -j ACCEPT
> >
> > I don't know why it does work? if you have any idea
> > please help.
> >
> > Thanks
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster.RemoveThis@lists.debian.org
>