tballah
asked on
iptables port forwarding DNAT is not working on
I face a problem that I could not succeed to configure port forwarding on linx box. When I use iptables -L to list the configuration I see only default policy which is "ACCEPT" and I could not see configuration for DNAT i.e. port forwardning that I added. After I added using below command:
[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081
then I use "iptables -L' I see nothing changed
Could you help configure out and check my configuration?
[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081
then I use "iptables -L' I see nothing changed
Could you help configure out and check my configuration?
[root@gwserver log]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:1E:0B:62:11:4E
inet addr:10.13.1.17 Bcast:10.13.1.255 Mask:255.255.255.0
inet6 addr: fe80::21e:bff:fe62:114e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2114764278 errors:0 dropped:0 overruns:0 frame:0
TX packets:2188537282 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2724035159 (2.5 GiB) TX bytes:3419229934 (3.1 GiB)
Interrupt:185 Memory:f8000000-f8012100
eth1 Link encap:Ethernet HWaddr 00:1E:0B:62:11:48
inet addr:192.168.105.220 Bcast:192.168.105.255 Mask:255.255.255.0
inet6 addr: fe80::21e:bff:fe62:1148/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2462218706 errors:0 dropped:0 overruns:0 frame:0
TX packets:1824303729 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1682170666 (1.5 GiB) TX bytes:3807574811 (3.5 GiB)
Interrupt:82 Memory:fa000000-fa012100
[root@gwserver log]# chkconfig --list | grep iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@gwserver log]# uname -r
2.6.18-53.el5PAE
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@gwserver log]#
ASKER
This is the output of command "iptables -t nat -L -v -x"
[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 164193 packets, 17192697 bytes)
pkts bytes target prot opt in out source destination
4 208 DNAT tcp -- any any anywhere 10.13.1.17 tcp dpt:tproxy to:192.168.107.50:8081
Chain POSTROUTING (policy ACCEPT 31302 packets, 1881381 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 31302 packets, 1881381 bytes)
pkts bytes target prot opt in out source destination
[root@gwserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I try to telnet to 10.13.1.17 with port 8081 "telnet 10.13.1.17 8081" then I use "iptables -t nat -L -v -x" I can see some packets reached this linux box but I still cannot succeed:
C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...Could not open connection to the host, on port 8081:
Connect failed
From linux box I can successfully telnet to the port 8081
[root@gwserver ~]# telnet 192.168.107.50 8081
Trying 192.168.107.50...
Connected to 192.168.107.50 (192.168.107.50).
Escape character is '^]'.
What else should I configure to enable me to successfully telnet to 10.13.1.17 with port 8081?
[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 164193 packets, 17192697 bytes)
pkts bytes target prot opt in out source destination
4 208 DNAT tcp -- any any anywhere 10.13.1.17 tcp dpt:tproxy to:192.168.107.50:8081
Chain POSTROUTING (policy ACCEPT 31302 packets, 1881381 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 31302 packets, 1881381 bytes)
pkts bytes target prot opt in out source destination
[root@gwserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I try to telnet to 10.13.1.17 with port 8081 "telnet 10.13.1.17 8081" then I use "iptables -t nat -L -v -x" I can see some packets reached this linux box but I still cannot succeed:
C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...Could not open connection to the host, on port 8081:
Connect failed
From linux box I can successfully telnet to the port 8081
[root@gwserver ~]# telnet 192.168.107.50 8081
Trying 192.168.107.50...
Connected to 192.168.107.50 (192.168.107.50).
Escape character is '^]'.
What else should I configure to enable me to successfully telnet to 10.13.1.17 with port 8081?
Try to add:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A POSTROUTING -j MASQUERADE
ASKER
[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 165349 packets, 17315830 bytes)
pkts bytes target prot opt in out source destination
4 208 DNAT tcp -- any any anywhere 10.13.1.17 tcp dpt:tproxy to:192.168.107.50:8081
Chain POSTROUTING (policy ACCEPT 31492 packets, 1892816 bytes)
pkts bytes target prot opt in out source destination
6 369 MASQUERADE all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 31498 packets, 1893185 bytes)
pkts bytes target prot opt in out source destination
After I telnet and I get the result as follows:
C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...
Chain PREROUTING (policy ACCEPT 165349 packets, 17315830 bytes)
pkts bytes target prot opt in out source destination
4 208 DNAT tcp -- any any anywhere 10.13.1.17 tcp dpt:tproxy to:192.168.107.50:8081
Chain POSTROUTING (policy ACCEPT 31492 packets, 1892816 bytes)
pkts bytes target prot opt in out source destination
6 369 MASQUERADE all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 31498 packets, 1893185 bytes)
pkts bytes target prot opt in out source destination
After I telnet and I get the result as follows:
C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Blaz:
Thank you for your fast response. I'm now home and I'll update you tomorrow when I work with that linux box.
Thank you for your fast response. I'm now home and I'll update you tomorrow when I work with that linux box.
ASKER
Dear Blaz:
After I enable ip forwarding by issuing this command:
echo 1 > /proc/sys/net/ipv4/ip_forw
Now everything is fine. Thanks
After I enable ip forwarding by issuing this command:
echo 1 > /proc/sys/net/ipv4/ip_forw
Now everything is fine. Thanks
Note that you have to run this command on every reboot. That is you can/should add it to /etc/rc.local script
iptables -t nat -L
you could add -v -x to get some more info:
iptables -t nat -L -v -x