[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Port Forwarding




> -----Original Message-----
> From: redhat-list-bounces redhat com [mailto:redhat-list-
> bounces redhat com] On Behalf Of Steven Buehler
> Sent: Wednesday, December 19, 2007 1:13 PM
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Port Forwarding
> 
> > On Dec 19, 2007, at 9:43 AM, Steven Buehler wrote:
> >
> > >> -----Original Message-----
> > >> From: redhat-list-bounces redhat com [mailto:redhat-list-
> > >> bounces redhat com] On Behalf Of Troy Amburg
> > >> Sent: Wednesday, December 19, 2007 11:34 AM
> > >> To: General Red Hat Linux discussion list
> > >> Subject: Re: Port Forwarding
> > >>
> > >> Do you have a traceroute from Machine1 to Machine2? Also, is the
> > >> default route set correctly on Machine1?
> > >>
> > >> On Dec 19, 2007, at 9:07 AM, Steven Buehler wrote:
> > >>
> > >>> I am trying to do port forwarding and I just can't seem to get it
> > >>> to work.
> > >>> I hope that someone can help.
> > >>>
> > >>> Machine 1 is running RHEL AS 4.4 with the 2.6.9-42.0.2.ELsmp
> > kernel.
> > >>> iptables has been running as my firewall since I set it up.
> > >>>
> > >>> I am trying to get anything that comes in to port 3389 on
> "Machine
> > >>> 1" to go
> > >>> to "Machine2" at a different location.  Lets say for this that
> the
> > >>> IP of
> > >>> "Machine1" is 70.70.70.70 and the remote machine ("Machine 2")
> that
> > >>> I want
> > >>> to forward to is 209.209.209.209.  I am assuming that I don't
> have
> > >>> to do
> > >>> anything on "Machine2" except make sure the firewall for that
> port
> > >>> is opened
> > >>> to "Machine 1".
> > >>>
> > >>> I have done the following on "Machine 1":
> > >>> echo 1 > /proc/sys/net/ipv4/ip_forward
> > >>>
> > >>> Here is my /etc/sysconfig/iptables file from "Machine 1".  This
> is
> > >>> not the
> > >>> one that I would normally use because it is to open, but am for
> > >>> testing.
> > >>> ####################
> > >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> > >>> *nat
> > >>> :PREROUTING ACCEPT [3:536]
> > >>> :POSTROUTING ACCEPT [9:635]
> > >>> :OUTPUT ACCEPT [8:583]
> > >>> -A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination
> > >>> 209.209.209.209:80
> > >>> COMMIT
> > >>> # Completed on Wed Dec 19 10:50:11 2007
> > >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> > >>> *mangle
> > >>> :PREROUTING ACCEPT [318:24902]
> > >>> :INPUT ACCEPT [312:24214]
> > >>> :FORWARD ACCEPT [3:152]
> > >>> :OUTPUT ACCEPT [276:32613]
> > >>> :POSTROUTING ACCEPT [279:32765]
> > >>> COMMIT
> > >>> # Completed on Wed Dec 19 10:50:11 2007
> > >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> > >>> *filter
> > >>> :INPUT ACCEPT [0:0]
> > >>> :FORWARD ACCEPT [0:0]
> > >>> :OUTPUT ACCEPT [276:32613]
> > >>> :RH-Firewall-1-INPUT - [0:0]
> > >>> -A INPUT -j RH-Firewall-1-INPUT
> > >>> -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
> > >>> -A FORWARD -j RH-Firewall-1-INPUT
> > >>> -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-
> level
> > 7
> > >>> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353
> -j
> > >>> ACCEPT
> > >>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
> > >>> ACCEPT
> > >>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-
> prohibited
> > >>> COMMIT
> > >>> # Completed on Wed Dec 19 10:50:11 2007
> > >>> ####################
> > >>>
> > >>> Thanks
> > >>> Steve
> > >>>
> > >
> > > A traceroute shows no problems.  Goes to the remote machine just
> > > fine.  I
> > > can also access the port on the remote machine with no problems.
> > >
> > > [root mymachine]# route -n
> > > Kernel IP routing table
> > > Destination     Gateway         Genmask         Flags Metric Ref
> > > Use
> > > Iface
> > > 70.70.70.0     0.0.0.0         255.255.255.0   U     0
> > > 0        0 eth0
> > > 169.254.0.0     0.0.0.0         255.255.0.0     U     0
> > > 0        0 eth0
> > > 0.0.0.0         70.70.70.175   0.0.0.0         UG    0
> > > 0        0 eth0
> > >
> > >
> > -----Original Message-----
> > From: redhat-list-bounces redhat com [mailto:redhat-list-
> > bounces redhat com] On Behalf Of Troy Amburg
> > Sent: Wednesday, December 19, 2007 11:49 AM
> > To: General Red Hat Linux discussion list
> > Subject: Re: Port Forwarding
> >
> > So you can traceroute from Machine1 to Machine2 without any problem,
> > and you can telnet to the port in question, from Machine1 to
> > Machine2? If that's the case, I guess I don't understand what's not
> > working.
> >
> 
> 	Correct.  I have tried setting up port forwarding on several
> servers
> this way and have never been able to get it to work.  Some of the
> machines
> are RHEL 4.x and some are 5.x.  Selinux is not running on any of the
> machines and I can go from Machine1 to the port I want on Machine2 with
> no
> problem.  I only have a problem when it comes to forwarding the ports.
> 	All installations and upgrades are done using up2date/yum so they
> are stock rpms.  I have searched the internet before resorting to this
> list
> and always come up with the same answers, run:
> echo 1 > /proc/sys/net/ipv4/ip_forward (which was set to 0 orginally)
> iptables -A PREROUTING -t nat -p tcp -m tcp --dport 3389 -j DNAT
> --to-destination 209.209.209.209:80
> iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
> iptables -A RH-Firewall-1-INPUT -s myip here -j ACCEPT
> 
> Steve

There has to be something simple that I am missing here.  I have 16 servers
and I tried setting up port forwarding on all of them with no luck.  Simply
running the above 3 lines on each one.  On the remote machines, I would even
stop the firewalls altogether so that I was sure that it wasn't blocking
anything.  3 of the servers are in Kansas, 8 of the servers are in a Data
Center in Missouri and 5 of the servers are in a Data Center in Virginia.  I
have 2 Ethernet ports on each system, but don't use eth1 on all but 3 of
them.  So I never set up these rules to use a second Ethernet port.  Do I
need to use 2 ports?  The systems range from Rehat Linux 7.3 to RH

Steve



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]