| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
Hi all,
I've read countless posts on this and still can't seem to figure it out. Here's my situation. On my Linux router box I have eth0, which is connected to the internal network 192.168.0.1, and eth1 which is connected to my cable modem and the Internet. On a machine in my internal network, 192.168.0.254, I am running a web server on port 8080 and want to forward connections received on the Linux box from the Internet to be forwarded to 192.168.0.254:8080, so: eth1  utside internet:8080 --forward--> eth0:192.168.0.254:8080No matter what I try, I can't get this to work. I flushed all other rules, set all the policies to ACCEPT, and here are the rules I'm trying to use to accomplish the forwarding: iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet IP> --dport 8080 -j DNAT --to 192.168.0.254:8080 iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j ACCEPT But even with these rules, I just get a 'Connection refused' error. Can anyone help? Joe |
|
|
|
|||
|
|
| |
|
Guest
Posts: n/a
|
On 2004-05-10, Joe Attardi <(E-Mail Removed)> wrote:
> On my Linux router box I have eth0, which is connected to the internal > network 192.168.0.1, and eth1 which is connected to my cable modem and the > Internet. On a machine in my internal network, 192.168.0.254, I am running a > web server on port 8080 and want to forward connections received on the > Linux box from the Internet to be forwarded to 192.168.0.254:8080, so: > > eth1 utside internet:8080 --forward--> eth0:192.168.0.254:8080> > No matter what I try, I can't get this to work. I flushed all other rules, > set all the policies to ACCEPT, and here are the rules I'm trying to use to > accomplish the forwarding: > > iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet > IP> --dport 8080 -j DNAT --to 192.168.0.254:8080 > > iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j > ACCEPT > > But even with these rules, I just get a 'Connection refused' error. Can't comment on the rules off the top of my head, but did you echo 1 >/proc/sys/net/ipv4/ip_forward ? -- André Majorel <URL:http://www.teaser.fr/~amajorel/> 1, 2, 3... Testing... Does this thing work ? |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Hi Andre,
I did enable IP forwarding, as I am using this linux router to share the internet connection across my network. I can get on the internet from the other machines, so IP forwarding is definitely enabled.. Joe "Andre Majorel" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)... > On 2004-05-10, Joe Attardi <(E-Mail Removed)> wrote: > > > On my Linux router box I have eth0, which is connected to the internal > > network 192.168.0.1, and eth1 which is connected to my cable modem and the > > Internet. On a machine in my internal network, 192.168.0.254, I am running a > > web server on port 8080 and want to forward connections received on the > > Linux box from the Internet to be forwarded to 192.168.0.254:8080, so: > > > > eth1 utside internet:8080 --forward--> eth0:192.168.0.254:8080> > > > No matter what I try, I can't get this to work. I flushed all other rules, > > set all the policies to ACCEPT, and here are the rules I'm trying to use to > > accomplish the forwarding: > > > > iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet > > IP> --dport 8080 -j DNAT --to 192.168.0.254:8080 > > > > iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j > > ACCEPT > > > > But even with these rules, I just get a 'Connection refused' error. > > Can't comment on the rules off the top of my head, but did you > > echo 1 >/proc/sys/net/ipv4/ip_forward > > ? > > -- > André Majorel <URL:http://www.teaser.fr/~amajorel/> > 1, 2, 3... Testing... Does this thing work ? |
|
|
|
|
|||
|
Guest
Posts: n/a
|
On Mon, 10 May 2004 01:41:22 +0000, Joe Attardi wrote:
> I've read countless posts on this and still can't seem to figure it out. iptables is not easy to figure out at first, but once you do it gets easier.  > eth1 utside internet:8080 --forward--> eth0:192.168.0.254:8080> [snip] > iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet > IP> --dport 8080 -j DNAT --to 192.168.0.254:8080 Did you try running this at the command line? If you had I think you would have gotten an error here. "man iptables", see the "-o" parameter: you can't have that in PREROUTING. Take it out. Check the packet counters as you attempt connections. Do they increment by one for each attempt? Of course this one won't because it's not in your NAT table rules. > iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j > ACCEPT But the ones coming in from the outside (eth1) will NOT be matched. This is a bad rule too (but it wouldn't get an error.) I'd leave off the interfaces; obviously the routing table will say that 192.168.0.254 goes out eth0. -- /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net or put "not-spam" or "/dev/rob0" in Subject header to reply |
|
|
|
|
|||
|
Guest
Posts: n/a
|
I did run those at the command line, but I didn't get any errors.
I've tried just about any variant of those rules I could find on the Web or usenet. Interestingly, though, one test I did was instead of jupming to DNAT, i simply jumped to LOG, to see if any packets even were picked up by this rule, and they were. Every time I sent a request to the port in question it logged the packets. The same holds true for the FORWARD rule. So the packets are matching... but... ugh, I dunno. :-) Joe "/dev/rob0" <(E-Mail Removed)> wrote in message news  (E-Mail Removed)...> On Mon, 10 May 2004 01:41:22 +0000, Joe Attardi wrote: > > I've read countless posts on this and still can't seem to figure it out. > > iptables is not easy to figure out at first, but once you do it gets > easier. > > > eth1 utside internet:8080 --forward--> eth0:192.168.0.254:8080> > [snip] > > iptables -t nat -A PREROUTING -p tcp -i eth1 -o eth0 -d <internet > > IP> --dport 8080 -j DNAT --to 192.168.0.254:8080 > > Did you try running this at the command line? If you had I think you > would have gotten an error here. "man iptables", see the "-o" > parameter: you can't have that in PREROUTING. Take it out. > > Check the packet counters as you attempt connections. Do they increment > by one for each attempt? Of course this one won't because it's not in > your NAT table rules. > > > iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.0.254 --dport 8080 -j > > ACCEPT > > But the ones coming in from the outside (eth1) will NOT be matched. > This is a bad rule too (but it wouldn't get an error.) I'd leave off > the interfaces; obviously the routing table will say that 192.168.0.254 > goes out eth0. > -- > /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net > or put "not-spam" or "/dev/rob0" in Subject header to reply > |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| IPTables port forwarding | Miguel Sanders | Linux Networking | 1 | 10-11-2007 12:19 PM |
| iptables port forwarding | anonymous | Linux Networking | 1 | 01-22-2004 09:25 AM |
| iptables port forwarding | Jason Lee | Linux Networking | 4 | 10-13-2003 12:53 AM |
| port forwarding with iptables | Allan Bruce | Linux Networking | 9 | 09-24-2003 04:31 PM |
| Port Forwarding with iptables | Allan Bruce | Linux Networking | 0 | 08-27-2003 11:44 AM |
Linear Mode
