Tarragon, a pair of these rules: (eth0: external) iptables -A FORWARD -m state --state NEW -p tcp -i eth0 -d 192.168.0.2 --dport 2401 iptables -t nat -A POSTROUTING -i eth0 -p tcp --dport 2401 -j DNAT --to-destination 192.168.0.1:2401
still does not show the port 2401 open with an nmap localhost op the gateway. I hope i understood your changes correctly. Logically this should work. Jule On Wed, 2003-09-03 at 21:32, Tarragon Allen wrote: > On Thursday 04 September 2003 11:15, Jule Slootbeek wrote: > > Hi, > > Thank you for your feedback, I took your advise i think..:) and this is > > what i came up with > > > > echo "Setting firewall rules..." > > #ipforwarding and masquerading > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j > > MASQUERADE > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A OUTPUT -m state --state NEW -j ACCEPT > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -m state --state NEW -s 192.168.0.0/24 -j ACCEPT > > # allows for forwarding > > iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x > > --dport 2401 -j ACCEPT > > iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x > > --dport 22 -j ACCEPT > > iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x > > --dport 80 -j ACCEPT > > > > #redirecting ports > > iptables -t nat -A PREROUTING -d 140.232.x.x1 -p tcp --dport 2401 -j > > DNAT --to-destination 192.168.0.2:2401 > > iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 80 -j > > DNAT --to-destination 192.168.0.2:80 > > iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 22 -j > > DNAT --to-destination 192.168.0.3:22 > > ;; > > > > but now when i run the firewall, ports 2401 and 80 are not open, (nmap > > localhost) and nmap 140.232.x.x times out. I'm not sure what's wrong. > > TIA, > > > > Jule > > First things first, I have to ask the obvious : have you enabled forwarding? > > sysctl -w net/ipv4/ip_forward=1 > > Secondly, you are defining a source address of 140.232.x.x in your FORWARD > rules, that should be destination address, not source address. Also, you may > need to use the internal end-point rather than the external address in those > FORWARD rules, ie: 192.168.0.2 instead of 140.232.x.x. I'd also use '-i eth0' > for those FORWARD rules (or whatever your externel interface is, ppp0 or > whatever). > > Hope this helps. > > t > -- > GPG: http://n12turbo.com/tarragon/public.key >
