iptables q

I've got a webserver running on port 80. Why can't external sites access it
after I execute the following? The intended port gets through... but I
suspect everything else goes to the forwarded
port too...

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5678 -j DNAT --to-dest
192.168.0.95
iptables -A FORWARD -p tcp -i eth0 --dport 5678 -d 192.168.0.95 -j ACCEPT

Coenraad Loubser wrote:
> I've got a webserver running on port 80. Why can't external sites access it
> after I execute the following? The intended port gets through... but I
> suspect everything else goes to the forwarded
> port too...
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5678 -j DNAT --to-dest
> 192.168.0.95
> iptables -A FORWARD -p tcp -i eth0 --dport 5678 -d 192.168.0.95 -j ACCEPT

If you've got the webserver running in port 80 then you should change
your rules to:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5678 -j DNAT
--to-dest 192.168.0.95:80
iptables -A FORWARD -p tcp -i eth0 --dport 80 -d 192.168.0.95 -j ACCEPT

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

Sorry, i've rephrased the question in a new post...

I dont want 5678 to go to port 80, (handy syntax though..).

The command is executed on a machine 192.168.0.1 that gets all incoming
connections. If something connects on port 5678 i want it to go to
192.168.0.95.

But when i execute iptables -A FORWARD -p tcp -i eth0 bla ba it kills my
webserver on 192.168.0.1

Any ideas why this is?
That line, to me, looks like an "allow" line. I dont have any "block all"
lines, so I suspect that soon as I enter that, it automatically presumes
that it should ONLY accept these connections...

Hmmm..

Damn, I'm sure the syntax for these silly commands could be just a little
more simplified...!

Thanks anyway

Hi!

Coenraad Loubser wrote:
> I've got a webserver running on port 80. Why can't external sites access it
> after I execute the following? The intended port gets through... but I
> suspect everything else goes to the forwarded
> port too...
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5678 -j DNAT --to-dest
> 192.168.0.95
> iptables -A FORWARD -p tcp -i eth0 --dport 5678 -d 192.168.0.95 -j ACCEPT

What about reverse NAT (SNAT, MASQUERADE) ?
Do you think that client will accept ACK comming from 192.168.0.95 ?

regards
Jarek