Page 1 of 1
Another iptables question
Posted: Thu Apr 20, 2006 6:00 pm
by a94060
Hi,i am trying to do a port forward from my linux server right now. Basically,my goal is to forward port 6666 from my server to another computer listening at port 5800. Basically i think that im trying to do nat and routing.
i ahve tried this so far:
Code: Select all
IPTABLES -t nat -I PREROUTING -p tcp -i $EXTIF --dport 6666 -j DNAT --to 10.10.10.4:5800
IPTABLES -A FORWARD -i $EXTIF -o 10.10.10.4 -p tcp --dport 6666 -j ACCEPT
Posted: Fri Apr 28, 2006 7:16 am
by aeav
yes, it's a nat rule, try it:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.64 --dport 6666 -j DNAT --to 192.168.0.2:5800
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 5800 -j ACCEPT
For example, here I'm forwarding the 192.168.0.64:6666 to 192.168.0.2:5800
The difference's that I'm usign "-d" option and...
Posted: Fri Apr 28, 2006 10:18 am
by a94060
ok,thanks. i will try and do this once i get home. do you know how i can do this in firehol(just if you use it?)
Posted: Fri Apr 28, 2006 2:36 pm
by aeav
ok a94060, about the FireHOL I don't use this tool.. I can't help with it..
Posted: Fri Apr 28, 2006 3:26 pm
by a94060
thats ok,i will just put those lines and put my values into there.
Posted: Fri Apr 28, 2006 3:50 pm
by aeav
we're waiting!

Posted: Fri Apr 28, 2006 7:12 pm
by a94060
this is the output (does not work)
Code: Select all
ftp:/ftp/ROMS# iptables -A FORWARD -p tcp -i eth0 -d 10.10.10.4:5800 --dport 5800 -j ACCEPT
iptables v1.2.11: host/network `10.10.10.4:5800' not found
Try `iptables -h' or 'iptables --help' for more information.
ftp:/ftp/ROMS#
im sure that there is a comp at 10.10.10.4
Posted: Fri Apr 28, 2006 9:38 pm
by aeav
strange...
the /proc/sys/net/ipv4/ip_forward's enabled?
# echo 1 > /proc/sys/net/ipv4/ip_forward
Posted: Sat Apr 29, 2006 6:25 am
by a94060
i did the command twice and this is what i see:
Code: Select all
ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi#
any help?
Posted: Sat Apr 29, 2006 6:55 am
by Chris Corbyn
a94060 wrote:i did the command twice and this is what i see:
Code: Select all
ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi#
any help?
You wouldn't see anything happen when you run the echo command providing it works successfully. It's just outputing data into a file. the ip_forward file needs a boolean entry in order for your system to perform any NAT translations
I have to admit... I'm pretty lost when it comes to iptables stuff though

Posted: Sat Apr 29, 2006 6:58 am
by a94060
so basically,what do i need to do in order to make this thing work? Would i hav to post the contents of that file?
i think it might help to tell how mmy network is setup. My linux box is connected to a hub along with my other computers. The linux box only has 1 network card. I have also DMZed the Linux box so that i can access the services and have secured the box using FIREHol
Posted: Sat Apr 29, 2006 7:00 am
by timvw
[quote="a94060"]this is the output (does not work)
Code: Select all
ftp:/ftp/ROMS# iptables -A FORWARD -p tcp -i eth0 -d 10.10.10.4:5800 --dport 5800 -j ACCEPT
iptables v1.2.11: host/network `10.10.10.4:5800' not found
Try `iptables -h' or 'iptables --help' for more information.
ftp:/ftp/ROMS#
Try "-d 10.10.10.4 --dport 5800" instead.
Btw, it's not enough that there's a comp at 10.10.10.4, you also have to make sure you actually connect to it

Posted: Sat Apr 29, 2006 7:11 am
by a94060
timvw wrote:a94060 wrote:this is the output (does not work)
Code: Select all
ftp:/ftp/ROMS# iptables -A FORWARD -p tcp -i eth0 -d 10.10.10.4:5800 --dport 5800 -j ACCEPT
iptables v1.2.11: host/network `10.10.10.4:5800' not found
Try `iptables -h' or 'iptables --help' for more information.
ftp:/ftp/ROMS#
Try "-d 10.10.10.4 --dport 5800" instead.
Btw, it's not enough that there's a comp at 10.10.10.4, you also have to make sure you actually connect to it

apparently, timv's srategy worked and the command went thru without a problem. But,what i was trying to do did not work. Basically,i have a computer sitting at 10.10.10.4 with Real VNC viewer running. I have the connections being accepted on 5900 and the java viewer running on 5800. So,i think it was my fault for not clearing up what is happening. I would like to redirect all connections to the java viewer(5800) to port 6666 outside and i would like to leave the connections to still be accepted on port 5900.