Problem with port forwarding config (iptables)

Hi all,

I'm trying to set up port forwarding for a webcam feed (using Windows
Media Encoder 9) from a computer inside my internal network. I can
connect to it directly from inside the network, but whenever I try to
connect to it through my router it doesn't connect (with Media Player
kicking back some "network error" message that isn't useful.

The iptables config in my router looks like this:

*nat
[...snippet...]
-A PREROUTING -p tcp -m tcp --dport 6666 -j DNAT --to-destination
192.168.10.20:8080

*filters
[...snippet...]
-A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT


I have obviously not included most of my iptables file. If you need
anything else from it let me know -- or ask and I can tell you about
the config.

Now, when I access http://192.168.10.20:8080 through Windows Media
Player from inside the network I can see the feed. But when I access
it through http://myserver.com:6666 it continually fails to connect
(where my router is "myserver.com"; if I use its IP directly I get the
same error).

I would appreciate any help on this problem whatsoever. Thanks in
advance.

Hello,

Daryl a écrit :
>
> I'm trying to set up port forwarding for a webcam feed (using Windows
> Media Encoder 9) from a computer inside my internal network. I can
> connect to it directly from inside the network, but whenever I try to
> connect to it through my router it doesn't connect (with Media Player
> kicking back some "network error" message that isn't useful.
>
> The iptables config in my router looks like this:
>
> *nat
> [...snippet...]
> -A PREROUTING -p tcp -m tcp --dport 6666 -j DNAT --to-destination
> 192.168.10.20:8080
>
> *filters
> [...snippet...]
> -A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT

Wrong rule. The correct rule must be in the FORWARD chain and match
destination port 8080 in order to catch the forwarded packets. Also,
matching on the destination address won't harm and will add some extra
security :

-A FORWARD -d 192.168.10.20 -p tcp -m tcp --dport 8080 -j ACCEPT

And of course you also need to accept the reply packets.

> Now, when I access http://192.168.10.20:8080 through Windows Media
> Player from inside the network I can see the feed. But when I access
> it through http://myserver.com:6666 it continually fails to connect
> (where my router is "myserver.com"; if I use its IP directly I get the
> same error).

From inside the network ? It's a common issue due to asymmetric routing
(NAT does not like it). Add the following rule to force reply packets
from the server to go back to the router and try again :

-A POSTROUTING -s 192.168.10.0/24 -d 192.168.10.20 \
-p tcp -m tcp --dport 8080 -j SNAT --to <router_lan_address>