iptables: port forwarding and hardware router

Hello NG,

I have the following configuration:

INTERNET
|
|
DSL-ROUTER (PPPoATM)
192.168.1.1
|
| LINUX SERVER
|------- eth1 (192.168.1.2)
|
|------- eth0 (192.168.0.1) (DNS, DHCP)
|
SWITCH
/ | \
/ | \
PC PC PC
(192.168.0.xxx)

*****************************************

The devices are configured like this:

Router: (192.168.1.1)
===============
2 routes are configured. I can't set up more details, like ports etc, only
the following:
Destination GW/Interface Netmask
0.0.0.0 <external IP> 0.0.0.0
192.168.0.0 192.168.1.2 255.255.255.0

Linux- Server:
==========
2 NICs:
eth0 connected to switch, 192.168.0.1
eth1 connected to router, 192.168.1.2

/etc/sysconfig/network/routes:
default 192.168.1.1 - -

iptables:
modprobe iptable_nat
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
iptables -A PREROUTING -t nat -p tcp --dport 1000 -j DNAT
... --to 192.168.0.150:1000

/etc/dhcp.conf:
option routers 192.168.0.1;

Clients:
======
(recieve all settings via DHCP)

*****************************************

With this settings, everything works fine, all clients can send and recieve
data from the internet.

My Problem:
The portforwarding doesn't seem to work. The client 192.168.0.150 doesn't
get port 1000 forwarded, but reports a "firewalled-mode". Can anybody tell
me, why?

Thanx a lot!

Tom.

> iptables:
> modprobe iptable_nat
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
> iptables -A PREROUTING -t nat -p tcp --dport 1000 -j DNAT
> ... --to 192.168.0.150:1000
>

....

> My Problem:
> The portforwarding doesn't seem to work. The client 192.168.0.150 doesn't
> get port 1000 forwarded, but reports a "firewalled-mode". Can anybody tell
> me, why?
>

You need to have a FORWARD rule in the chain too, e.g.

iptables -A PREROUTING -t nat -p tcp --dport 1000 -j DNAT --to 192.168.0.150
iptables -A FORWARD -p tcp --dport 1000 -j ACCEPT

HTH
Allan

"Tom H. Lautenbacher" <(E-Mail Removed)> wrote in message
news:bk9pa8$r51ju$(E-Mail Removed)...
> Hello NG,
>
> I have the following configuration:
>
> INTERNET
> |
> |
> DSL-ROUTER (PPPoATM)
> 192.168.1.1
> |
> | LINUX SERVER
> |------- eth1 (192.168.1.2)
> |
> |------- eth0 (192.168.0.1) (DNS, DHCP)
> |
> SWITCH
> / | \
> / | \
> PC PC PC
> (192.168.0.xxx)
>
> *****************************************
>
> The devices are configured like this:
>
> Router: (192.168.1.1)
> ===============
> 2 routes are configured. I can't set up more details, like ports etc, only
> the following:
> Destination GW/Interface Netmask
> 0.0.0.0 <external IP> 0.0.0.0
> 192.168.0.0 192.168.1.2 255.255.255.0
>
> Linux- Server:
> ==========
> 2 NICs:
> eth0 connected to switch, 192.168.0.1
> eth1 connected to router, 192.168.1.2
>
> /etc/sysconfig/network/routes:
> default 192.168.1.1 - -
>
> iptables:
> modprobe iptable_nat
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
> iptables -A PREROUTING -t nat -p tcp --dport 1000 -j DNAT
> ... --to 192.168.0.150:1000
>
> /etc/dhcp.conf:
> option routers 192.168.0.1;
>
> Clients:
> ======
> (recieve all settings via DHCP)
>
> *****************************************
>
> With this settings, everything works fine, all clients can send and
recieve
> data from the internet.
>
> My Problem:
> The portforwarding doesn't seem to work. The client 192.168.0.150 doesn't
> get port 1000 forwarded, but reports a "firewalled-mode". Can anybody tell
> me, why?
>
> Thanx a lot!
>
> Tom.
>

In Mandrake's version of networking i had to change the 192.168.0.1 to
192.168.1.1 for some strange reason the networking doesn't like the .0. in
there in linux.

INTERNET
|
|
DSL-ROUTER (PPPoATM)
192.168.1.1
|
| LINUX SERVER
|------- eth1 (192.168.1.2) netmask 0.0.0.0
|
|------- eth0 (192.168.2.1) (DNS, DHCP) netmask 255.255.255.0 ****
|
SWITCH (Check to see if the uplink being used to send the data to eth0?
not nessarily turned on just plugged in to that port)
/ | \
/ | \
PC PC PC (if any of these PC's are running windows anything run the
internet connection wizzard and set up the ether card that way)
(192.168.2.xxx) netmask 255.255.255.0 ****

**** = Here is where i woudl make the changes!

as far as the firewall goes I haven't a clue.
this is just from the hardware standpoint.
TSS

> In Mandrake's version of networking i had to change the 192.168.0.1 to
> 192.168.1.1 for some strange reason the networking doesn't like the .0. in
> there in linux.

Thats interesting, I have Mandrake 9.1 installed and am using a 192.168.0.x
subnet for my lan. What version of mandrake are you running?