portforwarding just hangs

i currently have a linux machine acting as my router/server, i have
put together a file of commands to run if i ever need to reply the
iptable rules

#flush the tables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow loopback access. This rule must come before the rules denying
port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p all -s localhost -i eth0 -j DROP

#setup portforwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 222 -j DNAT --to
192.168.0.2:22

everything works except for the portfowarding. im tryin to allow
access via ssh to a machine within the internal network. The problem
is when i connect from outside, it hangs, it does not refuse the
connection, it just hangs there tryin to connect. It seems to work
half-way but not completely, am i missing something?

Avi <(E-Mail Removed)> wrote:


[iptables script]

For fixing iptables problems the output of iptables-save would
be better. What I miss is the default policy of the involved
chains. Check the FORWARD chain in particular. Make sure that
the traffic is allowed in the FORWARD chain in both directions.

I would also completly rewrite the script to deny by default
and just allow certain traffic through. I would also propose
to look into connection tracking and decide whether it would
make your script more straight-forward. See
http://iptables-tutorial.frozentux.n...-tutorial.html
for further information.


> im tryin to allow
> access via ssh to a machine within the internal network. The problem
> is when i connect from outside, it hangs, it does not refuse the
> connection, it just hangs there tryin to connect. It seems to work
> half-way but not completely, am i missing something?

Use tcpdump/ethereal to check how far your traffic travels
or use the iptables LOG action before any DROP rule for
debugging. Inspecting the counters listed via iptables-save
is also sometimes helpful to detect were the packets are
dropped.

HTH

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn