Port Forwarding
Steven Buehler
steve at ibushost.com
Wed Dec 19 23:42:09 UTC 2007
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Steven Buehler
> Sent: Wednesday, December 19, 2007 1:13 PM
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Port Forwarding
>
> > On Dec 19, 2007, at 9:43 AM, Steven Buehler wrote:
> >
> > >> -----Original Message-----
> > >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > >> bounces at redhat.com] On Behalf Of Troy Amburg
> > >> Sent: Wednesday, December 19, 2007 11:34 AM
> > >> To: General Red Hat Linux discussion list
> > >> Subject: Re: Port Forwarding
> > >>
> > >> Do you have a traceroute from Machine1 to Machine2? Also, is the
> > >> default route set correctly on Machine1?
> > >>
> > >> On Dec 19, 2007, at 9:07 AM, Steven Buehler wrote:
> > >>
> > >>> I am trying to do port forwarding and I just can't seem to get it
> > >>> to work.
> > >>> I hope that someone can help.
> > >>>
> > >>> Machine 1 is running RHEL AS 4.4 with the 2.6.9-42.0.2.ELsmp
> > kernel.
> > >>> iptables has been running as my firewall since I set it up.
> > >>>
> > >>> I am trying to get anything that comes in to port 3389 on
> "Machine
> > >>> 1" to go
> > >>> to "Machine2" at a different location. Lets say for this that
> the
> > >>> IP of
> > >>> "Machine1" is 70.70.70.70 and the remote machine ("Machine 2")
> that
> > >>> I want
> > >>> to forward to is 209.209.209.209. I am assuming that I don't
> have
> > >>> to do
> > >>> anything on "Machine2" except make sure the firewall for that
> port
> > >>> is opened
> > >>> to "Machine 1".
> > >>>
> > >>> I have done the following on "Machine 1":
> > >>> echo 1 > /proc/sys/net/ipv4/ip_forward
> > >>>
> > >>> Here is my /etc/sysconfig/iptables file from "Machine 1". This
> is
> > >>> not the
> > >>> one that I would normally use because it is to open, but am for
> > >>> testing.
> > >>> ####################
> > >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> > >>> *nat
> > >>> :PREROUTING ACCEPT [3:536]
> > >>> :POSTROUTING ACCEPT [9:635]
> > >>> :OUTPUT ACCEPT [8:583]
> > >>> -A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination
> > >>> 209.209.209.209:80
> > >>> COMMIT
> > >>> # Completed on Wed Dec 19 10:50:11 2007
> > >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> > >>> *mangle
> > >>> :PREROUTING ACCEPT [318:24902]
> > >>> :INPUT ACCEPT [312:24214]
> > >>> :FORWARD ACCEPT [3:152]
> > >>> :OUTPUT ACCEPT [276:32613]
> > >>> :POSTROUTING ACCEPT [279:32765]
> > >>> COMMIT
> > >>> # Completed on Wed Dec 19 10:50:11 2007
> > >>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> > >>> *filter
> > >>> :INPUT ACCEPT [0:0]
> > >>> :FORWARD ACCEPT [0:0]
> > >>> :OUTPUT ACCEPT [276:32613]
> > >>> :RH-Firewall-1-INPUT - [0:0]
> > >>> -A INPUT -j RH-Firewall-1-INPUT
> > >>> -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
> > >>> -A FORWARD -j RH-Firewall-1-INPUT
> > >>> -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-
> level
> > 7
> > >>> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353
> -j
> > >>> ACCEPT
> > >>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> > >>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
> > >>> ACCEPT
> > >>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-
> prohibited
> > >>> COMMIT
> > >>> # Completed on Wed Dec 19 10:50:11 2007
> > >>> ####################
> > >>>
> > >>> Thanks
> > >>> Steve
> > >>>
> > >
> > > A traceroute shows no problems. Goes to the remote machine just
> > > fine. I
> > > can also access the port on the remote machine with no problems.
> > >
> > > [root at mymachine]# route -n
> > > Kernel IP routing table
> > > Destination Gateway Genmask Flags Metric Ref
> > > Use
> > > Iface
> > > 70.70.70.0 0.0.0.0 255.255.255.0 U 0
> > > 0 0 eth0
> > > 169.254.0.0 0.0.0.0 255.255.0.0 U 0
> > > 0 0 eth0
> > > 0.0.0.0 70.70.70.175 0.0.0.0 UG 0
> > > 0 0 eth0
> > >
> > >
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > bounces at redhat.com] On Behalf Of Troy Amburg
> > Sent: Wednesday, December 19, 2007 11:49 AM
> > To: General Red Hat Linux discussion list
> > Subject: Re: Port Forwarding
> >
> > So you can traceroute from Machine1 to Machine2 without any problem,
> > and you can telnet to the port in question, from Machine1 to
> > Machine2? If that's the case, I guess I don't understand what's not
> > working.
> >
>
> Correct. I have tried setting up port forwarding on several
> servers
> this way and have never been able to get it to work. Some of the
> machines
> are RHEL 4.x and some are 5.x. Selinux is not running on any of the
> machines and I can go from Machine1 to the port I want on Machine2 with
> no
> problem. I only have a problem when it comes to forwarding the ports.
> All installations and upgrades are done using up2date/yum so they
> are stock rpms. I have searched the internet before resorting to this
> list
> and always come up with the same answers, run:
> echo 1 > /proc/sys/net/ipv4/ip_forward (which was set to 0 orginally)
> iptables -A PREROUTING -t nat -p tcp -m tcp --dport 3389 -j DNAT
> --to-destination 209.209.209.209:80
> iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
> iptables -A RH-Firewall-1-INPUT -s myip here -j ACCEPT
>
> Steve
There has to be something simple that I am missing here. I have 16 servers
and I tried setting up port forwarding on all of them with no luck. Simply
running the above 3 lines on each one. On the remote machines, I would even
stop the firewalls altogether so that I was sure that it wasn't blocking
anything. 3 of the servers are in Kansas, 8 of the servers are in a Data
Center in Missouri and 5 of the servers are in a Data Center in Virginia. I
have 2 Ethernet ports on each system, but don't use eth1 on all but 3 of
them. So I never set up these rules to use a second Ethernet port. Do I
need to use 2 ports? The systems range from Rehat Linux 7.3 to RH
Steve
More information about the redhat-list
mailing list