Port Forwarding
Troy Amburg
troya at u.washington.edu
Wed Dec 19 23:54:11 UTC 2007
I just did this a couple days ago, so this is from my shell history.
This is on the gateway host, running rhel 5 that sits on a private
and public network. The default gateway on all the private network
hosts, points to this host.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
service iptables save
On Dec 19, 2007, at 3:42 PM, Steven Buehler wrote:
>
>
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>> bounces at redhat.com] On Behalf Of Steven Buehler
>> Sent: Wednesday, December 19, 2007 1:13 PM
>> To: 'General Red Hat Linux discussion list'
>> Subject: RE: Port Forwarding
>>
>>> On Dec 19, 2007, at 9:43 AM, Steven Buehler wrote:
>>>
>>>>> -----Original Message-----
>>>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>>>> bounces at redhat.com] On Behalf Of Troy Amburg
>>>>> Sent: Wednesday, December 19, 2007 11:34 AM
>>>>> To: General Red Hat Linux discussion list
>>>>> Subject: Re: Port Forwarding
>>>>>
>>>>> Do you have a traceroute from Machine1 to Machine2? Also, is the
>>>>> default route set correctly on Machine1?
>>>>>
>>>>> On Dec 19, 2007, at 9:07 AM, Steven Buehler wrote:
>>>>>
>>>>>> I am trying to do port forwarding and I just can't seem to get it
>>>>>> to work.
>>>>>> I hope that someone can help.
>>>>>>
>>>>>> Machine 1 is running RHEL AS 4.4 with the 2.6.9-42.0.2.ELsmp
>>> kernel.
>>>>>> iptables has been running as my firewall since I set it up.
>>>>>>
>>>>>> I am trying to get anything that comes in to port 3389 on
>> "Machine
>>>>>> 1" to go
>>>>>> to "Machine2" at a different location. Lets say for this that
>> the
>>>>>> IP of
>>>>>> "Machine1" is 70.70.70.70 and the remote machine ("Machine 2")
>> that
>>>>>> I want
>>>>>> to forward to is 209.209.209.209. I am assuming that I don't
>> have
>>>>>> to do
>>>>>> anything on "Machine2" except make sure the firewall for that
>> port
>>>>>> is opened
>>>>>> to "Machine 1".
>>>>>>
>>>>>> I have done the following on "Machine 1":
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>>
>>>>>> Here is my /etc/sysconfig/iptables file from "Machine 1". This
>> is
>>>>>> not the
>>>>>> one that I would normally use because it is to open, but am for
>>>>>> testing.
>>>>>> ####################
>>>>>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
>>>>>> *nat
>>>>>> :PREROUTING ACCEPT [3:536]
>>>>>> :POSTROUTING ACCEPT [9:635]
>>>>>> :OUTPUT ACCEPT [8:583]
>>>>>> -A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination
>>>>>> 209.209.209.209:80
>>>>>> COMMIT
>>>>>> # Completed on Wed Dec 19 10:50:11 2007
>>>>>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
>>>>>> *mangle
>>>>>> :PREROUTING ACCEPT [318:24902]
>>>>>> :INPUT ACCEPT [312:24214]
>>>>>> :FORWARD ACCEPT [3:152]
>>>>>> :OUTPUT ACCEPT [276:32613]
>>>>>> :POSTROUTING ACCEPT [279:32765]
>>>>>> COMMIT
>>>>>> # Completed on Wed Dec 19 10:50:11 2007
>>>>>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
>>>>>> *filter
>>>>>> :INPUT ACCEPT [0:0]
>>>>>> :FORWARD ACCEPT [0:0]
>>>>>> :OUTPUT ACCEPT [276:32613]
>>>>>> :RH-Firewall-1-INPUT - [0:0]
>>>>>> -A INPUT -j RH-Firewall-1-INPUT
>>>>>> -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
>>>>>> -A FORWARD -j RH-Firewall-1-INPUT
>>>>>> -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-
>> level
>>> 7
>>>>>> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
>>>>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>>>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>>>>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353
>> -j
>>>>>> ACCEPT
>>>>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>>>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
>>>>>> ACCEPT
>>>>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-
>> prohibited
>>>>>> COMMIT
>>>>>> # Completed on Wed Dec 19 10:50:11 2007
>>>>>> ####################
>>>>>>
>>>>>> Thanks
>>>>>> Steve
>>>>>>
>>>>
>>>> A traceroute shows no problems. Goes to the remote machine just
>>>> fine. I
>>>> can also access the port on the remote machine with no problems.
>>>>
>>>> [root at mymachine]# route -n
>>>> Kernel IP routing table
>>>> Destination Gateway Genmask Flags Metric Ref
>>>> Use
>>>> Iface
>>>> 70.70.70.0 0.0.0.0 255.255.255.0 U 0
>>>> 0 0 eth0
>>>> 169.254.0.0 0.0.0.0 255.255.0.0 U 0
>>>> 0 0 eth0
>>>> 0.0.0.0 70.70.70.175 0.0.0.0 UG 0
>>>> 0 0 eth0
>>>>
>>>>
>>> -----Original Message-----
>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>> bounces at redhat.com] On Behalf Of Troy Amburg
>>> Sent: Wednesday, December 19, 2007 11:49 AM
>>> To: General Red Hat Linux discussion list
>>> Subject: Re: Port Forwarding
>>>
>>> So you can traceroute from Machine1 to Machine2 without any problem,
>>> and you can telnet to the port in question, from Machine1 to
>>> Machine2? If that's the case, I guess I don't understand what's not
>>> working.
>>>
>>
>> Correct. I have tried setting up port forwarding on several
>> servers
>> this way and have never been able to get it to work. Some of the
>> machines
>> are RHEL 4.x and some are 5.x. Selinux is not running on any of the
>> machines and I can go from Machine1 to the port I want on Machine2
>> with
>> no
>> problem. I only have a problem when it comes to forwarding the
>> ports.
>> All installations and upgrades are done using up2date/yum so they
>> are stock rpms. I have searched the internet before resorting to
>> this
>> list
>> and always come up with the same answers, run:
>> echo 1 > /proc/sys/net/ipv4/ip_forward (which was set to 0 orginally)
>> iptables -A PREROUTING -t nat -p tcp -m tcp --dport 3389 -j DNAT
>> --to-destination 209.209.209.209:80
>> iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
>> iptables -A RH-Firewall-1-INPUT -s myip here -j ACCEPT
>>
>> Steve
>
> There has to be something simple that I am missing here. I have 16
> servers
> and I tried setting up port forwarding on all of them with no
> luck. Simply
> running the above 3 lines on each one. On the remote machines, I
> would even
> stop the firewalls altogether so that I was sure that it wasn't
> blocking
> anything. 3 of the servers are in Kansas, 8 of the servers are in
> a Data
> Center in Missouri and 5 of the servers are in a Data Center in
> Virginia. I
> have 2 Ethernet ports on each system, but don't use eth1 on all but
> 3 of
> them. So I never set up these rules to use a second Ethernet
> port. Do I
> need to use 2 ports? The systems range from Rehat Linux 7.3 to RH
>
> Steve
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list