Re: port forwarding problem. Probably easy if you know how.

Mon, 24 Apr 2006 05:12:28 -0700 

[EMAIL PROTECTED] wrote:
> 
> But it doesn't work.
> 
> Lines like
> 
> iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 
> -j DNAT --to-destination 172.25.1.5:27012 --verbose
> iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 
> -j DNAT --to-destination 172.25.1.5:27012 --verbose
> iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j 
> SNAT --to-source 216.138.195.194:27012 --verbose
> iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j 
> SNAT --to-source 216.138.195.194:27012 --verbose
> 
> have no effect at all (as checked by iptables --list)

You also need some "FORWARD" rules (don't know if you have them, on not).

E.g:

/sbin/iptables -A FORWARD -p tcp --dport 27012 -d 172.25.1.5 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --dport 27012 -d 172.25.1.5 -j ACCEPT


> I suspect there's probably a missing kernel module.  But which one?
> And where do I find it?  The docs for iptables way that it will attampt 
> to load any necessary modules, so I presume a simple modprobe isn't 
> enough.  Or else that it doesn't try hard enough.

This is a very useful example:

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER


Here is what I have in my script:

---

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Load some required (and a few optional) kernel modules
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_tables
fi
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack_ftp
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack_irc
fi
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $MODPROBE iptable_nat
fi
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_ftp
fi
if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_irc
fi

---


Hope this helps,

-- 
George Borisov

DXSolutions Ltd

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to