impossible to forward port 8080 and 3389 with iptables (ubuntu)
Hello :)
I came accross a very (to me) wierd problem ..
somehow, it seem I'm unable to forward port 8080 and 3389, while most of the other ports (I didnt test everything) are working perfectly.
here is how my network look:
[network: 192.168.0.x] > [ubuntubox eth0: 192.168.0.11 eth1: 10.0.0.2] > [router 10.0.0.1]
the router has 10.0.0.2 as DMZ
so far, everything is ok, all computers behind the box have access to internet.
now, when I want to forward some port into my LAN, problems arise:
for exemple, I tried to forward the port 21 to 192.168.0.9, in doing as follow:
sudo iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to-destination 192.168.0.9:21
no problem there. but when I'm trying the very same things, with port 8080, to any of my LAN, it wont work. at all. same goes for 3389.
there is no firewall on the server I'm trying to reach inside the lan, and no other service blocking the way.
it just wont connect.
I tried with port 21, 80, 5900, all of those were ok.
if it's any help, here is the extra package I installed on ubuntu: apache, bind, ntop, lynx.
and also, there was some wierd error while booting, something like: ACPI Invalid PBLK Length
but I don't think it's related.
thanks in advance!
edit: I can see however that the timeout on port 8080 and 3389 is longer when I did the forward, than when I remove the entry from iptables
I came accross a very (to me) wierd problem ..
somehow, it seem I'm unable to forward port 8080 and 3389, while most of the other ports (I didnt test everything) are working perfectly.
here is how my network look:
[network: 192.168.0.x] > [ubuntubox eth0: 192.168.0.11 eth1: 10.0.0.2] > [router 10.0.0.1]
the router has 10.0.0.2 as DMZ
so far, everything is ok, all computers behind the box have access to internet.
now, when I want to forward some port into my LAN, problems arise:
for exemple, I tried to forward the port 21 to 192.168.0.9, in doing as follow:
sudo iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to-destination 192.168.0.9:21
no problem there. but when I'm trying the very same things, with port 8080, to any of my LAN, it wont work. at all. same goes for 3389.
there is no firewall on the server I'm trying to reach inside the lan, and no other service blocking the way.
it just wont connect.
I tried with port 21, 80, 5900, all of those were ok.
if it's any help, here is the extra package I installed on ubuntu: apache, bind, ntop, lynx.
and also, there was some wierd error while booting, something like: ACPI Invalid PBLK Length
but I don't think it's related.
thanks in advance!
edit: I can see however that the timeout on port 8080 and 3389 is longer when I did the forward, than when I remove the entry from iptables
Sounds like your ISP, not IPTables. 8080 is a common proxy port (also old Wingate *shudder*) and 3389 is Remote Desktop Protocol. Both of these are routinely blocked by ISPs, personal firewalls, and other security applications.
If I would have paid more attention to your question, I would have seen that you are trying to forward to your internal LAN. Sorry. Is there anything internally that may be blocking those ports?
ASKER
not that I'm aware of :)
it seems to be random, some port are ok, while some are not.
some minutes ago, I did try to redirect port 3000 (ntop html report) to another IP,
it worked.
another thing I tried, is to forward vnc (5900) to 192.168.0.6 (worked)
then, I made vnc listen to port 8080, forward that to 192.168.0.6. it failed. but a long timeout
(while local connection are ok)
it seems to be random, some port are ok, while some are not.
some minutes ago, I did try to redirect port 3000 (ntop html report) to another IP,
it worked.
another thing I tried, is to forward vnc (5900) to 192.168.0.6 (worked)
then, I made vnc listen to port 8080, forward that to 192.168.0.6. it failed. but a long timeout
(while local connection are ok)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You don't indicate whether the rules are accepted in iptables and whether you have logged the rules to determine whether iptables is the problem or the destination location.
ASKER
I did try 8080 because I needed it,
but I also tried 8081 later, and it did not work, while 26352 was ok. it's a mystery to me :(
I didnt log anything, and the rule is accepted (ie no error) no matter what port I try.
I will try to log the rules forwarding 8080, and report back :)
but I also tried 8081 later, and it did not work, while 26352 was ok. it's a mystery to me :(
I didnt log anything, and the rule is accepted (ie no error) no matter what port I try.
I will try to log the rules forwarding 8080, and report back :)
ASKER
could a broken network interface cause this?
I can change it, at least to eliminate one possibility :)
I can change it, at least to eliminate one possibility :)
are you using this network interface in the rule that doesn't work?
ASKER
I don't know if it's broken .. just a possibility that crossed my mind ;]
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
after a long battle, I decided to use a more advanced router instead of the linux, which is now working flawlessly. thanks for your help still, and sorry for the delay