On Mon, Jan 26, 2009 at 9:23 AM, Linux Cook <[email protected]> wrote: > Hi guys, > > I've setup a centos-5.2 server (eth1 facing the internet) with a simple port > forwarding where it forwards port 8081 to my internal box' (192.168.0.2) > port 8080. > > $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8081 -j DNAT > --to-destination 192.168.0.2:8080
linux cook.. you have to understand how DNAT and SNAT works... DNAT is altering the destination address (and port) while SNAT is altering the source address (and port).. your command above alters the destination address as well as its destination port... here is the actual scenario and what went wrong while you have the correct command above... assumming the source public ip address connecting to your NAT box is 1.1.1.1 and your NAT box public ip address is 2.2.2.2.. when the client connect to your nat box.. the actual packet looks like this source: 1.1.1.1:xxxx destination: 2.2.2.2:8081 when your nat box port forward to your actual web server (192.168.0.2:8080).. the outgoing packet from your nat box looks like this: source: 1.1.1.1:xxxx destination: 192.168.0.2:8080 when your web server try to response.. the packet look likes this... source: 192.168.0.2:8080 destination: 1.1.1.1:xxxx with that packet above... the packet reached to 1.1.1.1.. but the server 1.1.1.1 will drop that packet because it doesnt have an entry on its tcp/ip stack.. thats the reason why your port forwarding is not working... to solve your problem.. you have to add another command on your nat box by using SNAT so that the outgoing source ip address is the ip address of your nat box you that it can be seen and reach by your web server (192.168.0.2)... assuming your eth0 ip address is 192.168.0.1... your iptables command on your nat box looks like this... iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 8080 -j MASQUERADE below is the scenario after adding the command above the actual translation on your nat box and how it reach to web server and back to the remote client... [remote client] source 1.1.1.1:xxxx destination 2.2.2.2:8081 [nat box] source 192.168.0.1:yyyy destination 192.168.0.2:8080 [web server] source 192.168.0.2:8080 destination 192.168.0.1:yyyy [nat box] source 2.2.2.2:8081 destination 1.1.1.1:xxxx [remote client] source 2.2.2.2:8081 destination 1.1.1.1:xxxx ill let you solve your problem as your excercise... fooler. _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
