impossible to forward port 8080 and 3389 with iptables (ubuntu)

Posted on 2008-06-25
Last Modified: 2013-11-15
Hello :)

I came accross a very (to me) wierd problem ..
somehow, it seem I'm unable to forward port 8080 and 3389, while most of the other ports (I didnt test everything) are working perfectly.

here is how my network look:

[network: 192.168.0.x] > [ubuntubox eth0: eth1:] > [router]
the router has as DMZ

so far, everything is ok, all computers behind the box have access to internet.
now, when I want to forward some port into my LAN, problems arise:

for exemple, I tried to forward the port 21 to, in doing as follow:

sudo iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to-destination

no problem there. but when I'm trying the very same things, with port 8080, to any of my LAN, it wont work. at all. same goes for 3389.
there is no firewall on the server I'm trying to reach inside the lan, and no other service blocking the way.
it just wont connect.
I tried with port 21, 80, 5900, all of those were ok.

if it's any help, here is the extra package I installed on ubuntu: apache, bind, ntop, lynx.
and also, there was some wierd error while booting, something like: ACPI Invalid PBLK Length
but I don't think it's related.

thanks in advance!

edit: I can see however that the timeout on port 8080 and 3389 is longer when I did the forward, than when I remove the entry from iptables
Question by:mistoiic
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3

Expert Comment

ID: 21867004
Sounds like your ISP, not IPTables. 8080 is a common proxy port (also old Wingate *shudder*) and 3389 is Remote Desktop Protocol. Both of these are routinely blocked by ISPs, personal firewalls, and other security applications.

Expert Comment

ID: 21867016
If I would have paid more attention to your question, I would have seen that you are trying to forward to your internal LAN. Sorry. Is there anything internally that may be blocking those ports?

Author Comment

ID: 21867102
not that I'm aware of :)

it seems to be random, some port are ok, while some are not.
some minutes ago, I did try to redirect port 3000 (ntop html report) to another IP,
it worked.

another thing I tried, is to forward vnc (5900) to (worked)
then, I made vnc listen to port 8080, forward that to it failed. but a long timeout
(while local connection are ok)
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.


Accepted Solution

kosmoraios earned 250 total points
ID: 21867721
If you're using ipchains as well as iptables, check your ipchains configuration to make sure that those ports aren't being blocked. If you're using a template or default configuration file, they might be blocked by default.

The nature of those two ports strongly leads me to believe they are being blocked by something.
LVL 29

Expert Comment

by:Jan Springer
ID: 21867786
You don't indicate whether the rules are accepted in iptables and whether you have logged the rules to determine whether iptables is the problem or the destination location.

Author Comment

ID: 21868360
I did try 8080 because I needed it,
but I also tried 8081 later, and it did not work, while 26352 was ok. it's a mystery to me :(
I didnt log anything, and the rule is accepted (ie no error) no matter what port I try.

I will try to log the rules forwarding 8080, and report back :)

Author Comment

ID: 21868392
could a broken network interface cause this?
I can change it, at least to eliminate one possibility :)
LVL 29

Expert Comment

by:Jan Springer
ID: 21868480
are you using this network interface in the rule that doesn't work?

Author Comment

ID: 21869038
I don't know if it's broken .. just a possibility that crossed my mind ;]
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 21869103
you're too funny.  

can you ping the IP of that NIC?  can you ping the IP at the other end of that NIC?

does a "netstat -i" show errors on that interface?

does "ethtool" show anything interesting?

is that NIC connected to a switch?  do the speeds and duplexes match?

Author Closing Comment

ID: 31473478
after a long battle, I decided to use a more advanced router instead of the linux, which is now working flawlessly. thanks for your help still, and sorry for the delay

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question