Another iptables question

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
User avatar
a94060
Forum Regular
Posts: 543
Joined: Fri Feb 10, 2006 4:53 pm

Another iptables question

Post by a94060 »

Hi,i am trying to do a port forward from my linux server right now. Basically,my goal is to forward port 6666 from my server to another computer listening at port 5800. Basically i think that im trying to do nat and routing.

i ahve tried this so far:

Code: Select all

IPTABLES -t nat -I PREROUTING -p tcp -i $EXTIF --dport 6666 -j DNAT --to 10.10.10.4:5800
IPTABLES -A FORWARD -i $EXTIF -o 10.10.10.4 -p tcp --dport 6666 -j ACCEPT
User avatar
aeav
Forum Newbie
Posts: 9
Joined: Fri Apr 28, 2006 7:01 am
Location: Brasil
Contact:

Post by aeav »

yes, it's a nat rule, try it:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.64 --dport 6666 -j DNAT --to 192.168.0.2:5800
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 5800 -j ACCEPT


For example, here I'm forwarding the 192.168.0.64:6666 to 192.168.0.2:5800

The difference's that I'm usign "-d" option and...
User avatar
a94060
Forum Regular
Posts: 543
Joined: Fri Feb 10, 2006 4:53 pm

Post by a94060 »

ok,thanks. i will try and do this once i get home. do you know how i can do this in firehol(just if you use it?)
User avatar
aeav
Forum Newbie
Posts: 9
Joined: Fri Apr 28, 2006 7:01 am
Location: Brasil
Contact:

Post by aeav »

ok a94060, about the FireHOL I don't use this tool.. I can't help with it..
User avatar
a94060
Forum Regular
Posts: 543
Joined: Fri Feb 10, 2006 4:53 pm

Post by a94060 »

thats ok,i will just put those lines and put my values into there.
User avatar
aeav
Forum Newbie
Posts: 9
Joined: Fri Apr 28, 2006 7:01 am
Location: Brasil
Contact:

Post by aeav »

we're waiting! :D
User avatar
a94060
Forum Regular
Posts: 543
Joined: Fri Feb 10, 2006 4:53 pm

Post by a94060 »

this is the output (does not work)

Code: Select all

ftp:/ftp/ROMS# iptables -A FORWARD -p tcp -i eth0 -d 10.10.10.4:5800 --dport 5800 -j ACCEPT
iptables v1.2.11: host/network `10.10.10.4:5800' not found
Try `iptables -h' or 'iptables --help' for more information.
ftp:/ftp/ROMS#
im sure that there is a comp at 10.10.10.4
User avatar
aeav
Forum Newbie
Posts: 9
Joined: Fri Apr 28, 2006 7:01 am
Location: Brasil
Contact:

Post by aeav »

strange...
the /proc/sys/net/ipv4/ip_forward's enabled?

# echo 1 > /proc/sys/net/ipv4/ip_forward
User avatar
a94060
Forum Regular
Posts: 543
Joined: Fri Feb 10, 2006 4:53 pm

Post by a94060 »

i did the command twice and this is what i see:

Code: Select all

ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi#
any help?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

a94060 wrote:i did the command twice and this is what i see:

Code: Select all

ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi# echo 1 > /proc/sys/net/ipv4/ip_forward
ftp:/home/avi#
any help?
You wouldn't see anything happen when you run the echo command providing it works successfully. It's just outputing data into a file. the ip_forward file needs a boolean entry in order for your system to perform any NAT translations ;)

I have to admit... I'm pretty lost when it comes to iptables stuff though :(
User avatar
a94060
Forum Regular
Posts: 543
Joined: Fri Feb 10, 2006 4:53 pm

Post by a94060 »

so basically,what do i need to do in order to make this thing work? Would i hav to post the contents of that file?

i think it might help to tell how mmy network is setup. My linux box is connected to a hub along with my other computers. The linux box only has 1 network card. I have also DMZed the Linux box so that i can access the services and have secured the box using FIREHol
Last edited by a94060 on Sat Apr 29, 2006 7:01 am, edited 1 time in total.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

[quote="a94060"]this is the output (does not work)

Code: Select all

ftp:/ftp/ROMS# iptables -A FORWARD -p tcp -i eth0 -d 10.10.10.4:5800 --dport 5800 -j ACCEPT
iptables v1.2.11: host/network `10.10.10.4:5800' not found
Try `iptables -h' or 'iptables --help' for more information.
ftp:/ftp/ROMS#
Try "-d 10.10.10.4 --dport 5800" instead.

Btw, it's not enough that there's a comp at 10.10.10.4, you also have to make sure you actually connect to it ;)
User avatar
a94060
Forum Regular
Posts: 543
Joined: Fri Feb 10, 2006 4:53 pm

Post by a94060 »

timvw wrote:
a94060 wrote:this is the output (does not work)

Code: Select all

ftp:/ftp/ROMS# iptables -A FORWARD -p tcp -i eth0 -d 10.10.10.4:5800 --dport 5800 -j ACCEPT
iptables v1.2.11: host/network `10.10.10.4:5800' not found
Try `iptables -h' or 'iptables --help' for more information.
ftp:/ftp/ROMS#
Try "-d 10.10.10.4 --dport 5800" instead.

Btw, it's not enough that there's a comp at 10.10.10.4, you also have to make sure you actually connect to it ;)

apparently, timv's srategy worked and the command went thru without a problem. But,what i was trying to do did not work. Basically,i have a computer sitting at 10.10.10.4 with Real VNC viewer running. I have the connections being accepted on 5900 and the java viewer running on 5800. So,i think it was my fault for not clearing up what is happening. I would like to redirect all connections to the java viewer(5800) to port 6666 outside and i would like to leave the connections to still be accepted on port 5900.
Post Reply