Question

Posrt forwarding not working

Asked by: shaunwingin

Say, I'm trying to forward port 8080 to ip 192.168.10.209 with no luck.

This is my firwall. Please HELP.
# Generated by iptables-save v1.3.5 on Mon Aug 24 00:19:39 2009
*mangle
:PREROUTING ACCEPT [4786:1771206]
:INPUT ACCEPT [4674:1763828]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6304:3027677]
:POSTROUTING ACCEPT [6304:3027677]
-A OUTPUT -p udp -m udp --sport 4569 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 10000:20000 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5060 -j DSCP --set-dscp 0x2e
COMMIT
# Completed on Mon Aug 24 00:19:39 2009
# Generated by iptables-save v1.3.5 on Mon Aug 24 00:19:39 2009
*nat
:PREROUTING ACCEPT [28:3178]
:POSTROUTING ACCEPT [108:18980]
:OUTPUT ACCEPT [108:18980]
-A PREROUTING -p tcp -m tcp --dport 8080:8888 -m state --state NEW -j DNAT --to-destination 192.168.10.209:8080
COMMIT
# Completed on Mon Aug 24 00:19:39 2009
# Generated by iptables-save v1.3.5 on Mon Aug 24 00:19:39 2009
*filter
:INPUT ACCEPT [3:276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6304:3027677]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080:8082 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1021 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1022 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1023 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Mon Aug 24 00:19:39 2009

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-23 at 15:21:53ID24675174
Topics

IP Tables/IP Chains

,

Network Design & Methodology

,

Linux Network Security

,

Network Software Firewalls

,

Enterprise Firewalls

Participating Experts
5
Points
500
Comments
32

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. iptables and port forwarding
    I'm having issues setting up port forwarding. I'm running Slackware 8.1 with the 2.4.19 kernel and iptables 1.2.6a. I'm using iptables but I just can't get it to forward the ports to incoming connections. I have a box inside the network that is serving FTP and HTTP, I want ...
  2. iptables
    hai all, i am having a machine with 2 NIC. one connected to (eth1)a server and the other(eth0) to intranet. just a testing purpose. my iptable file looks like this. i am actually redirecting the http traffic to my machine. but it is n't working properly. ...
  3. iptables and forwarding
    For days I've been trying to resolv a problem I have. I need to set up a Linux Red Hat 8.1 server which only job is to run iptables and forward traffic from on public net to an internal net (but with normal public IP addresses). 1. Can this be done with one NIC? 2. I want t...
  4. iptables port forward
    I want to forward all port 80 to a internal server, but can't make it work. My config are as follows: The iptables server: eth0 : 2xx.xxx.xxx.37 eth0 : 2xx.xxx.xxx.38 (alias) eth1 : 192.168.0.1 iptables commands that I had run: iptables -t nat -A POSTROUTING -s 192.168.0.0...
  5. port forwarding with iptables
    Hi i have a linux box (mandrake, and I need to forward some ports from my DSL connection to different computers on the lan network. my eth0 is connected to the LAN network my eth1 is connected to my router, which is then connected to the DSL eth0 has ip 195.249.90.213 eth1 ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: DetailsITPosted on 2009-08-23 at 15:53:39ID: 25164617

Here are two examples:

-A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.10.209:8080
-A FORWARD -p tcp -i eth0 -d 192.168.10.209 --dport 8080 -j ACCEPT

-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.209:8080
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT

 

by: RBEIMSPosted on 2009-08-23 at 17:14:50ID: 25164884

Are you sure you have forwarding active?
echo "1" >/proc/sys/net/ipv4/ip_forward

 

by: shaunwinginPosted on 2009-08-24 at 00:07:02ID: 25166094

echo "1" >/proc/sys/net/ipv4/ip_forward
The new file ip_forward now has a "1" in it.
Executing : iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.209:8080
RETURNS: iptables: No chain/target/match by that name

Please help!

 

by: BlazPosted on 2009-08-24 at 00:29:20ID: 25166167

specify nat table (instead of default filter table):
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.209:8080

 

by: shaunwinginPosted on 2009-08-24 at 01:23:11ID: 25166387

Tx. Still no luck:
This is the log: and shows connection  -please help!
193: Aug 24 10:01:20 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18160 DF PROTO=TCP SPT=4052 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
194: Aug 24 10:01:23 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18194 DF PROTO=TCP SPT=4052 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
196: Aug 24 10:01:29 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18241 DF PROTO=TCP SPT=4053 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
213: Aug 24 10:01:31 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18284 DF PROTO=TCP SPT=4054 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
217: Aug 24 10:01:34 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18312 DF PROTO=TCP SPT=4054 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
218: Aug 24 10:01:40 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18384 DF PROTO=TCP SPT=4054 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
219: Aug 24 10:01:52 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18760 DF PROTO=TCP SPT=4058 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
220: Aug 24 10:01:55 trixbox1 kernel: IN=ppp0 OUT=eth0 SRC=144.146.153.69 DST=192.168.10.209 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=18864 DF PROTO=TCP SPT=4058 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0

 

by: BlazPosted on 2009-08-24 at 01:25:35ID: 25166398

Your input interface is ppp0 not eth0:
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.209:8080

 

by: shaunwinginPosted on 2009-08-24 at 01:33:03ID: 25166429

*nat
:PREROUTING ACCEPT [114:14045]
:POSTROUTING ACCEPT [263:17744]
:OUTPUT ACCEPT [213:15344]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080:8888 -j DNAT --to-destination 192.168.10.209:8080
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.209:8080
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.209:8080
COMMIT

 

by: shaunwinginPosted on 2009-08-24 at 02:27:36ID: 25166662

As you can see ppp0 is specified but I still get the log as above???????

 

by: BlazPosted on 2009-08-24 at 03:14:01ID: 25166860

Could you post your current filter section - the rules above do not do any logging. And actually allow all connections!

 

by: shaunwinginPosted on 2009-08-24 at 03:19:10ID: 25166889

*mangle
:PREROUTING ACCEPT [527579:41491490]
:INPUT ACCEPT [527235:41464566]
:FORWARD ACCEPT [236:11328]
:OUTPUT ACCEPT [637726:52022343]
:POSTROUTING ACCEPT [637962:52033671]
-A OUTPUT -p udp -m udp --sport 4569 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 10000:20000 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5060 -j DSCP --set-dscp 0x2e
COMMIT
# Completed on Mon Aug 24 12:18:49 2009
# Generated by iptables-save v1.3.5 on Mon Aug 24 12:18:49 2009
*nat
:PREROUTING ACCEPT [278:28278]
:POSTROUTING ACCEPT [656:44806]
:OUTPUT ACCEPT [559:40150]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080:8888 -j DNAT --to-destination 192.168.10.209:8080
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.10.209:23
COMMIT
# Completed on Mon Aug 24 12:18:49 2009
# Generated by iptables-save v1.3.5 on Mon Aug 24 12:18:49 2009
*filter
:INPUT ACCEPT [30:1440]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [637726:52022343]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p tcp -m tcp --dport 23 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080:8082 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1021 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1022 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1023 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Mon Aug 24 12:18:49 2009

 

by: shaunwinginPosted on 2009-08-27 at 11:06:28ID: 25201015

I've run this and confirmed change to 1. echo "1" >/proc/sys/net/ipv4/ip_forward
However when service network restart is run it changes back to 0 ?!!!!

 

by: MiLLeNNiuMPosted on 2009-08-27 at 13:14:25ID: 25202195

I don't know about the specifics of Red Hat i usually write my own scripts.
Can you give me the output of following commands: "iptables -L -nv" and "iptables -L -nv -t nat"
I can make you script from the output and also fix your problem.

 

by: RedimidoPosted on 2009-08-27 at 21:28:55ID: 25204959

edit /etc/sysctl.conf to look like:
net.ipv4.ip_forward = 1

Changes to sysctl.conf take effect upon booting. If you want changes to take effect without rebooting, use the following:  
# sysctl -p


now when you try to check if traffic is flowing through one of your rules, issue:

for FILTER table:
iptables -L -vn

for NAT table:
iptables -L -vn -t nat


if you still have problems after editing the sysctl.conf and restart, then I would recommend to move this rule:
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

to look like
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT


This is before looking the output of the iptables -L command ;-)

Best,
Gabriel

 

by: shaunwinginPosted on 2009-08-28 at 04:57:20ID: 25206596

Redimido: Tx 4 the detailed help. Still having problem.
Millenium: See paste below:

[root@localhost sysconfig]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 7356  339K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 9395 packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination        
 7347  337K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
    2   100 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    5  1219 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1022 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1023 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            141.2.39.6         tcp dpt:5060 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            141.2.39.6         udp dpts:10000:20000 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            141.2.39.6         state NEW udp dpt:4569
    0     0 LOG        all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:!0x17/0x02 LOG flags 0 level 4 prefix `ALERT,NewNotSyn from eth:'
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:!0x17/0x02
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `ALERT,NEW FROM eth DROP:'
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 LOG flags 0 level 4 prefix `ALERT PING DROP:'
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
    2   186 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `ALERT, REST INPUT DROP:'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
[root@localhost sysconfig]#
_________________________________
[root@localhost sysconfig]# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 11 packets, 1264 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp to:192.168.10.108:23

Chain POSTROUTING (policy ACCEPT 34 packets, 2082 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 34 packets, 2082 bytes)
 pkts bytes target     prot opt in     out     source               destination        
[root@localhost sysconfig]#

 

by: MiLLeNNiuMPosted on 2009-08-28 at 05:19:39ID: 25206729

Attached goes a script that probably will fix your problems.
Place it at /etc/init.d/firewall and do a "chmod 700 /etc/init.d/firewall" then execute it.

Notice that Red Hat/CentOS use a single chain for both FORWARD and INPUT chains, so i can't really tell what is trafic is directed to the box and what is supposed to go thru (If that is your firewall, INPUT is probably just port 22).

Also i removed all the logging, that can be added later. To debug the access, use tcpdump instead (run it like this "tcpdump -i any host 144.146.153.69 -vn") and you should be able to see the NAT and the Foward.

Please let me know the result.

#!/bin/sh
 
#Variables
IPTABLES=/sbin/iptables
 
#Clean the chains, define policies and set it stateful
 
$IPTABLES -L -n | awk '/Chain/ {printf "iptables -F %s\n", $2;}'|/bin/sh
$IPTABLES -t nat -L -n | awk '/Chain/ {printf "iptables -t nat -F %s\n", $2;}'|/bin/sh
$IPTABLES -X
$IPTABLES -t nat -X
 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
 
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
#Allows access to the box
$IPTABLES -A INPUT -m state --state NEW -p tcp -m multiport --dport 22,25,1022,1023 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -j ACCEPT
 
#Allows certain trafic go trhu the box
$IPTABLES -A FORWARD -m state --state NEW -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -p tcp -m multiport --dport 22,25,1022,1023 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p tcp --dport --dport 5060 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p udp --dport --dport 4569 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p udp --dport --dport 10000:20000 -j ACCEPT
 
#Port forwarding
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to-dest 192.168.10.209
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.209 -p tcp --dport 8080 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 23 -j DNAT --to-dest 192.168.10.108
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.108 -p tcp --dport 8080 -j ACCEPT

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:

Select allOpen in new window

 

by: shaunwinginPosted on 2009-08-28 at 05:39:53ID: 25206873

Tx, but get

[root@localhost init.d]# chmod 700 firewall
[root@localhost init.d]# ./firewall
iptables v1.3.5: invalid TCP port/service `--dport' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: invalid UDP port/service `--dport' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: invalid UDP port/service `--dport' specified
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost init.d]# service firewall stop
iptables v1.3.5: invalid TCP port/service `--dport' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: invalid UDP port/service `--dport' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: invalid UDP port/service `--dport' specified
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost init.d]#

 

by: MiLLeNNiuMPosted on 2009-08-28 at 05:45:20ID: 25206916

it was a typo i made shaunwingin, i've fixed it, here's the new script.

#!/bin/sh
 
#Variables
IPTABLES=/sbin/iptables
 
#Clean the chains, define policies and set it stateful
 
$IPTABLES -L -n | awk '/Chain/ {printf "iptables -F %s\n", $2;}'|/bin/sh
$IPTABLES -t nat -L -n | awk '/Chain/ {printf "iptables -t nat -F %s\n", $2;}'|/bin/sh
$IPTABLES -X
$IPTABLES -t nat -X
 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
 
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
#Allows access to the box
$IPTABLES -A INPUT -m state --state NEW -p tcp -m multiport --dport 22,25,1022,1023 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -j ACCEPT
 
#Allows certain trafic go trhu the box
$IPTABLES -A FORWARD -m state --state NEW -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -p tcp -m multiport --dport 22,25,1022,1023 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p tcp --dport 5060 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p udp --dport 4569 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p udp --dport 10000:20000 -j ACCEPT
 
#Port forwarding
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to-dest 192.168.10.209
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.209 -p tcp --dport 8080 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 23 -j DNAT --to-dest 192.168.10.108
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.108 -p tcp --dport 8080 -j ACCEPT

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:

Select allOpen in new window

 

by: shaunwinginPosted on 2009-08-30 at 10:00:23ID: 25218327

Tx. Still not getting through...
tcpdump -i any host 144.146.153.69 -vn
What ip must I use? Please explain it

 

by: MiLLeNNiuMPosted on 2009-08-30 at 11:15:38ID: 25218575

If you know the source ip, use it, you going to be able to see every packet. If you don't know, run it like this: "tcpdump -i any port 8080 -vn"
Please paste the output here so i can see what's going on but it's kinda hard to think that it doesn't work, such a simple script.
Would help as well if you told me how is your network set up, can you give us the following info:

On the firewall:
"ifconfig -a"
"route -n"

On the machine that you directing the port 8080 (with the ip 192.168.10.209):
If its a windows:
"ipconfig /all"
"route print"

If its a linux:
"ifconfig -a"
"route -n"

 

by: shaunwinginPosted on 2009-08-30 at 12:04:48ID: 25218772

Tx. Please see attached.

Also a telnet attempt from a public pc:
[root@localhost init.d]# tcpdump -i any port 23 -vn
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
20:59:11.582094 IP (tos 0x0, ttl  54, id 33392, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 196.146.152.179.telnet: S, cksum 0x3b1c (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579708988 0,nop,wscale 7>
20:59:11.583753 IP (tos 0x0, ttl  53, id 33392, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 192.168.10.108.telnet: S, cksum 0xae4d (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579708988 0,nop,wscale 7>
20:59:14.577767 IP (tos 0x0, ttl  54, id 33393, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 196.146.152.179.telnet: S, cksum 0x2f64 (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579711988 0,nop,wscale 7>
20:59:14.577804 IP (tos 0x0, ttl  53, id 33393, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 192.168.10.108.telnet: S, cksum 0xa295 (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579711988 0,nop,wscale 7>
20:59:20.578571 IP (tos 0x0, ttl  54, id 33394, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 196.146.152.179.telnet: S, cksum 0x17f4 (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579717988 0,nop,wscale 7>
20:59:20.578614 IP (tos 0x0, ttl  53, id 33394, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 192.168.10.108.telnet: S, cksum 0x8b25 (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579717988 0,nop,wscale 7>

6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@localhost init.d]# 

[root@localhost init.d]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:02:E3:4C:A0:05  
          inet addr:192.168.10.77  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::202:e3ff:fe4c:a005/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4691230 errors:9 dropped:1 overruns:0 frame:0
          TX packets:2411342 errors:0 dropped:0 overruns:0 carrier:0
          collisions:443796 txqueuelen:1000 
          RX bytes:1000184097 (953.8 MiB)  TX bytes:1909684594 (1.7 GiB)
          Interrupt:201 
 
eth1      Link encap:Ethernet  HWaddr 00:06:4F:7D:17:05  
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::206:4fff:fe7d:1705/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:250610 errors:0 dropped:0 overruns:0 frame:0
          TX packets:253478 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:45351619 (43.2 MiB)  TX bytes:53170020 (50.7 MiB)
          Interrupt:177 Base address:0xcc00 
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:138986 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138986 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:36370929 (34.6 MiB)  TX bytes:36370929 (34.6 MiB)
 
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:196.146.152.179  P-t-P:196.146.152.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:12142 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12511 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:2659461 (2.5 MiB)  TX bytes:854171 (834.1 KiB)
 
sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
RESULTS of TELNET from the Linux Machine to linux machine.
______________
[root@localhost rc.d]# telnet 196.146.152.179
Trying 196.146.152.179...
telnet: connect to address 196.146.152.179: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@localhost rc.d]# 
 
______________
[root@localhost init.d]# tcpdump -i any port 23 -vn
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
20:54:27.473517 IP (tos 0x10, ttl  64, id 44654, offset 0, flags [DF], proto: TCP (6), length: 60) 196.146.152.179.43256 > 196.146.152.179.telnet: S, cksum 0x7ec6 (correct), 2565325043:2565325043(0) win 32792 <mss 16396,sackOK,timestamp 548957853 0,nop,wscale 4>
20:54:27.473657 IP (tos 0x10, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 196.146.152.179.telnet > 196.146.152.179.43256: R, cksum 0x3059 (correct), 0:0(0) ack 2565325044 win 0
______
the route -n is too large to paste -  but I can sent you specifics.
_________
 Generated by iptables-save v1.3.5 on Sun Aug 30 19:00:34 2009
*mangle
:PREROUTING ACCEPT [272995:22583995]
:INPUT ACCEPT [272986:22583459]
:FORWARD ACCEPT [9:536]
:OUTPUT ACCEPT [330963:239886877]
:POSTROUTING ACCEPT [331695:239910301]
-A OUTPUT -p udp -m udp --sport 4569 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 10000:20000 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5060 -j DSCP --set-dscp 0x2e
COMMIT
# Completed on Sun Aug 30 19:00:34 2009
# Generated by iptables-save v1.3.5 on Sun Aug 30 19:00:34 2009
*nat
:PREROUTING ACCEPT [7104:721834]
:POSTROUTING ACCEPT [46121:2824988]
:OUTPUT ACCEPT [46121:2824988]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.209
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.10.108
COMMIT
# Completed on Sun Aug 30 19:00:34 2009
# Generated by iptables-save v1.3.5 on Sun Aug 30 19:00:34 2009
*filter
:INPUT DROP [12:1116]
:FORWARD DROP [8:480]
:OUTPUT ACCEPT [80:4914]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,25,1022,1023 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp -m state --state NEW -m multiport --dports 22,25,1022,1023 -j ACCEPT
-A FORWARD -d 141.2.39.6 -p tcp -m state --state NEW -m tcp --dport 5060 -j ACCEPT
-A FORWARD -d 141.2.39.6 -p udp -m state --state NEW -m udp --dport 4569 -j ACCEPT
-A FORWARD -d 141.2.39.6 -p udp -m state --state NEW -m udp --dport 10000:20000 -j ACCEPT
-A FORWARD -d 192.168.10.209 -i ppp0 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A FORWARD -d 192.168.10.108 -i ppp0 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Aug 30 19:00:34 2009
 
 
_______
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:

Select allOpen in new window

 

by: MiLLeNNiuMPosted on 2009-08-30 at 12:22:03ID: 25218866

The attached code means that the NAT/Forward rules (which is what you call port forward) is working, the packed entered in the ppp0, was redirected to the internal ip 192.168.10.108. The ttl changes means he crossed the box (forward rule) and the you can see that he translated the destination ip.
What is happening is that the internal computer is either filtering the packets or its route to the ip 141.222.39.3 is not configured (he either has a specific route that host/network configured wrongly or has no default route configured at all).
To fix that i really need the routing table in both machines and ip configuration for the machine with the ip 192.168.10.108, if it's too big to paste, please copy/paste in a txt file and attach it here.
Also, please don't use any built-in firewall commands as "iptables-save", they aren't needed anymore. Just run once the file /etc/init.d/firewall, then run "chkconfig firewall on" and "chkconfig iptables off", that will enable the firewall rules i created for you at boot.
If you need to change/create/delete any rule, simple edit the file ("vi /etc/init.d/firewall") and run again the script.
Last but not least, try to do a telnet from the box to the internal machine and see if it connects (telnet 192.168.10.108), that will help us debug.

[root@localhost init.d]# tcpdump -i any port 23 -vn
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
20:59:11.582094 IP (tos 0x0, ttl  54, id 33392, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 196.146.152.179.telnet: S, cksum 0x3b1c (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579708988 0,nop,wscale 7>
20:59:11.583753 IP (tos 0x0, ttl  53, id 33392, offset 0, flags [DF], proto: TCP (6), length: 60) 141.222.39.3.34130 > 192.168.10.108.telnet: S, cksum 0xae4d (correct), 2177664076:2177664076(0) win 5840 <mss 1412,sackOK,timestamp 3579708988 0,nop,wscale 7>

                                              
1:
2:
3:
4:
5:

Select allOpen in new window

 

by: MiLLeNNiuMPosted on 2009-08-30 at 12:26:42ID: 25218890

Just to help explaining, so you understand Better:

> [root@localhost rc.d]# telnet 196.146.152.179
> Trying 196.146.152.179...
> telnet: connect to address 196.146.152.179: Connection refused
> telnet: Unable to connect to remote host: Connection refused

You are trying to connect not to the internal machine with this, but to the own box and your NAT is only for the packets that comes from the interface ppp0 (internet packets) not lo (loopback) so it won't redirect it and since the own box has no telnet server running, you gonna get a connection refuse (the box isn't listenning on the port tcp 23).

 

by: shaunwinginPosted on 2009-08-30 at 12:31:46ID: 25218914

Tx.
Route attached.
[root@localhost init.d]# telnet 192.168.10.108
Trying 192.168.10.108...
Connected to 192.168.10.108 (192.168.10.108).
Escape character is '^]'.

<1cf7d32f> Login:

 

by: MiLLeNNiuMPosted on 2009-08-30 at 12:39:34ID: 25218950

Since you a have ppp device in there i assume that is the routing table for the firewall. I really gotta ask this, why do you have so many specific routes for internet address instead of a simple default route (everything points to ppp0 regardless) ?
Anyway, you have no route for the network/ip 141.222.39.3 and that is one of the causes but i still suspect that the internal machine (192.168.10.108) has issues related to ip configuration/routing.
Can you attach the routing table and the ip configuration for that machine also ?

Btw, this is a sign that the service is running and is reachable from the firewall:

> root@localhost init.d]# telnet 192.168.10.108
> Trying 192.168.10.108...
> Connected to 192.168.10.108 (192.168.10.108).
> Escape character is '^]'.

So it's PROBABLY just routing issues.

 

by: shaunwinginPosted on 2009-08-30 at 12:55:20ID: 25219016

In South Africa local bandwidth is charged at about a quarter the price of international bandwdith. ppp0 is a local only connection and etho is attached to the international gateway and hence the routes.
There is only one linux machine and the firewall is running on it. The ifconfig and route tables I've attached are for it.
I think you are correct in your assesment.

 

by: MiLLeNNiuMPosted on 2009-08-30 at 12:59:39ID: 25219031

> In South Africa local bandwidth is charged at about a quarter the price of international bandwdith. ppp0 is a local only connection and etho is attached to the international gateway and hence the routes.

Alright, then for that linux you need to add a route for the network 141.222.0.0/16 (or one route specific for the ip 141.222.39.3).

> There is only one linux machine and the firewall is running on it. The ifconfig and route tables I've attached are for it.

Yes but i still need to check the routing table and ip configuration for the machine 192.168.10.108, my guess is that there is the problem.
If its a windows you can get that data using "ipconfig -a" and "route print".

 

by: shaunwinginPosted on 2009-08-30 at 13:17:20ID: 25219117

oh sorry 192.168.10.108 is a Quintum device and I cna't find the command to display the route table.
However I've changed its route to 192.168.10.77 which is the ip of the Linux eth0 its attached to but still no joy.

 

by: MiLLeNNiuMPosted on 2009-08-30 at 13:32:21ID: 25219190

What i can do for you is, since you are able to access it from the linux, i can do another NAT to when the packet gets to the internal device (the Quintum) it comes with the firewall internal ip instead of the original source ip, so it would know where to answer.
That is kinda bad for application logs cause every access is going to show as if it was originated from the firewall but its going to work, anyway attached is the script with the update.
Added the following line:

$IPTABLES -t nat -A POSTROUTING -o eth0 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.77

#!/bin/sh
 
#Variables
IPTABLES=/sbin/iptables
 
#Clean the chains, define policies and set it stateful
 
$IPTABLES -L -n | awk '/Chain/ {printf "iptables -F %s\n", $2;}'|/bin/sh
$IPTABLES -t nat -L -n | awk '/Chain/ {printf "iptables -t nat -F %s\n", $2;}'|/bin/sh
$IPTABLES -X
$IPTABLES -t nat -X
 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
 
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
#Allows access to the box
$IPTABLES -A INPUT -m state --state NEW -p tcp -m multiport --dport 22,25,1022,1023 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -j ACCEPT
 
#Allows certain trafic go trhu the box
$IPTABLES -A FORWARD -m state --state NEW -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -p tcp -m multiport --dport 22,25,1022,1023 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p tcp --dport 5060 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p udp --dport 4569 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -d 141.2.39.6 -p udp --dport 10000:20000 -j ACCEPT
 
#Port forwarding
$IPTABLES -t nat -A POSTROUTING -o eth0 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.77
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to-dest 192.168.10.209
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.209 -p tcp --dport 8080 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 23 -j DNAT --to-dest 192.168.10.108
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.108 -p tcp --dport 8080 -j ACCEPT

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:

Select allOpen in new window

 

by: shaunwinginPosted on 2009-08-30 at 13:44:55ID: 25219252

Tx it works.
Previously I had changed the last line:
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.108 -p tcp --dport 8080 -j ACCEPT
to
$IPTABLES -A FORWARD -m state --state NEW -i ppp0 -d 192.168.10.108 -p tcp --dport 23-j ACCEPT
and did the same this time.

 

by: MiLLeNNiuMPosted on 2009-08-30 at 14:11:20ID: 25219393

You welcome.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...