Port Forwarding

Steven Buehler steve at ibushost.com
Wed Dec 19 19:13:25 UTC 2007 

> On Dec 19, 2007, at 9:43 AM, Steven Buehler wrote:
> 
> >> -----Original Message-----
> >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> bounces at redhat.com] On Behalf Of Troy Amburg
> >> Sent: Wednesday, December 19, 2007 11:34 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: Re: Port Forwarding
> >>
> >> Do you have a traceroute from Machine1 to Machine2? Also, is the
> >> default route set correctly on Machine1?
> >>
> >> On Dec 19, 2007, at 9:07 AM, Steven Buehler wrote:
> >>
> >>> I am trying to do port forwarding and I just can't seem to get it
> >>> to work.
> >>> I hope that someone can help.
> >>>
> >>> Machine 1 is running RHEL AS 4.4 with the 2.6.9-42.0.2.ELsmp
> kernel.
> >>> iptables has been running as my firewall since I set it up.
> >>>
> >>> I am trying to get anything that comes in to port 3389 on "Machine
> >>> 1" to go
> >>> to "Machine2" at a different location.  Lets say for this that the
> >>> IP of
> >>> "Machine1" is 70.70.70.70 and the remote machine ("Machine 2") that
> >>> I want
> >>> to forward to is 209.209.209.209.  I am assuming that I don't have
> >>> to do
> >>> anything on "Machine2" except make sure the firewall for that port
> >>> is opened
> >>> to "Machine 1".
> >>>
> >>> I have done the following on "Machine 1":
> >>> echo 1 > /proc/sys/net/ipv4/ip_forward
> >>>
> >>> Here is my /etc/sysconfig/iptables file from "Machine 1".  This is
> >>> not the
> >>> one that I would normally use because it is to open, but am for
> >>> testing.
> >>> ####################
> >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> >>> *nat
> >>> :PREROUTING ACCEPT [3:536]
> >>> :POSTROUTING ACCEPT [9:635]
> >>> :OUTPUT ACCEPT [8:583]
> >>> -A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination
> >>> 209.209.209.209:80
> >>> COMMIT
> >>> # Completed on Wed Dec 19 10:50:11 2007
> >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> >>> *mangle
> >>> :PREROUTING ACCEPT [318:24902]
> >>> :INPUT ACCEPT [312:24214]
> >>> :FORWARD ACCEPT [3:152]
> >>> :OUTPUT ACCEPT [276:32613]
> >>> :POSTROUTING ACCEPT [279:32765]
> >>> COMMIT
> >>> # Completed on Wed Dec 19 10:50:11 2007
> >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> >>> *filter
> >>> :INPUT ACCEPT [0:0]
> >>> :FORWARD ACCEPT [0:0]
> >>> :OUTPUT ACCEPT [276:32613]
> >>> :RH-Firewall-1-INPUT - [0:0]
> >>> -A INPUT -j RH-Firewall-1-INPUT
> >>> -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
> >>> -A FORWARD -j RH-Firewall-1-INPUT
> >>> -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level
> 7
> >>> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> >>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> >>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> >>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
> >>> ACCEPT
> >>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> >>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
> >>> ACCEPT
> >>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> >>> COMMIT
> >>> # Completed on Wed Dec 19 10:50:11 2007
> >>> ####################
> >>>
> >>> Thanks
> >>> Steve
> >>>
> >
> > A traceroute shows no problems.  Goes to the remote machine just
> > fine.  I
> > can also access the port on the remote machine with no problems.
> >
> > [root at mymachine]# route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref
> > Use
> > Iface
> > 70.70.70.0     0.0.0.0         255.255.255.0   U     0
> > 0        0 eth0
> > 169.254.0.0     0.0.0.0         255.255.0.0     U     0
> > 0        0 eth0
> > 0.0.0.0         70.70.70.175   0.0.0.0         UG    0
> > 0        0 eth0
> >
> >
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Troy Amburg
> Sent: Wednesday, December 19, 2007 11:49 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Port Forwarding
> 
> So you can traceroute from Machine1 to Machine2 without any problem,
> and you can telnet to the port in question, from Machine1 to
> Machine2? If that's the case, I guess I don't understand what's not
> working.
> 

	Correct.  I have tried setting up port forwarding on several servers
this way and have never been able to get it to work.  Some of the machines
are RHEL 4.x and some are 5.x.  Selinux is not running on any of the
machines and I can go from Machine1 to the port I want on Machine2 with no
problem.  I only have a problem when it comes to forwarding the ports.
	All installations and upgrades are done using up2date/yum so they
are stock rpms.  I have searched the internet before resorting to this list
and always come up with the same answers, run:
echo 1 > /proc/sys/net/ipv4/ip_forward (which was set to 0 orginally)
iptables -A PREROUTING -t nat -p tcp -m tcp --dport 3389 -j DNAT
--to-destination 209.209.209.209:80
iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s myip here -j ACCEPT

Steve

More information about the redhat-list mailing list