On 10/22/07, आशीष शुक्ल Ashish Shukla <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I used to connect to internet by PPPoE dialing to my ISP from my box > (172.16.0.3). I wanted to DNAT TCP packets coming from external world > on "9053" TCP port of "ppp0" interface (which gets created a result of > PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port > "1203". > > The network service which I wanted to expose is listening on 172.16.0.3:1203 . > Its not clear so I am assuming here that the service and the internet connection are on the same machine. > For that I've created following iptables rules: > > iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport > 9053 -j EPT > iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT > --to-destination 172.16.0.3:1203 > iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT > The packets will hit the PREROUTING chain first and the dst port will be modified therefore in your INPUT chain rule you give port 1203. Also there is no need to use state module , because you need to open this port for NEW as well as ESTABLISHED packets. iptables -t filter -A INPUT -i ppp0 -p tcp --dport 1203 -j ACCEPT Hint , use: iptables -t <table-name> -nvL <chain-name> , to debug which rules are being hit.
> But unfortunately above rules are not working as documented. I've then > modified service to listen on same TCP port as exposed to external world, > i.e. "9053" . And also modified iptables rules accordingly and it > worked. Following are the new rules: > > iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport > 9053 -j ACCEPT > iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT > --to-destination 172.16.0.3 > iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 9053 -j ACCEPT > > I'm running Linux kernel version "2.6.18-5-amd64", can anyone tell what > I'm doing wrong ? > > TIA > Ashish Shukla _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
