iptables port forwarding does not work while I have 2 routes

ashokvpp · #1 03-12-2013

Hi,

On my linux server I have 2 routes:

Code:
nexthop via 123.201.254.5 dev eth0 weight 38 nexthop via 111.93.155.149 dev eth2 weight 36

I have a iptable rule like :

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 123.201.254.7 --dport 84 -j DNAT --to 192.168.1.200:80

Now, when I try to telnet from public it does not work

telnet 123.201.254.7 84
Trying 123.201.254.7...

tcpdump -

Code:

[root@firewall ~]# tcpdump -i eth0 -n -n port 84 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 
08:28:26.630850 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1963738 0,nop,wscale 4> 
08:28:29.635321 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1964490 0,nop,wscale 4> 
08:28:35.642453 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1965992 0,nop,wscale 4> 
08:28:47.674757 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1969000 0,nop,wscale 4> 
08:29:11.704090 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1975008 0,nop,wscale 4>

DGPickett · #2 03-12-2013

Funny, first packet normally is syn no ack no fin, response is syn ack, the all ack until fin and fin ack. Is that sackOK a syn, an ack, ???

When the port changes, I look more to portforwarding examples, which are more than one rule. This works if you shut down either ethernet and address the other in the rule?

ashokvpp · #3 03-13-2013

It works if i just have 1 public and 1 local lan interface.

But, I need to have both ISP's enabled. In my case :

eth0 - ISP1
eth1 - LAN
eth2 - ISP2

Suggest me the iptable rules and how can I do port forward with such setup...

Thanks
Ashok

DGPickett · #4 03-13-2013

It seems like you should have a virtual IP or use a router box, so the path is not in your hair. You are forwarding to the IP of one path, and if it is down, I am not sure routing will get there by the other path. If both ISPs support routing to the same IPs, and those IPs are what you are port forwarding from, then the path does not matter.

Regardless, port forwarding in a two interface world is complicated, needs 4 rules: portforwarding - Iptables: forward request on different interfaces and port - Stack Overflow

ashokvpp · #5 03-13-2013

Thanks DGPickett

It now works.

DGPickett · #6 03-14-2013

It'd be neat if iptables could configure the most popular things like firewall, NAT and port forwarding with one simple line, or a GUI. I mean, if you want b to a out, you want a to b in! There are about zero simplex applications in this world. Sometimes there is outgoing on one LAN and incoming on another!

Thread Tools	Search this Thread
Show Printable Version Email this Page Subscribe to this Thread	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
iptables forwarding not working?	fedora	Security	1	09-25-2010 02:19 AM
SSH Port Forwarding - sharing the same port	regmaster	IP Networking	3	05-03-2010 05:41 PM
Port forwarding	slash_blog	UNIX for Advanced & Expert Users	2	06-20-2008 07:29 AM
port forwarding	imloaded24_7	UNIX for Advanced & Expert Users	1	11-21-2006 10:36 AM
iptables: forwarding a port	meeps	UNIX for Dummies Questions & Answers	1	11-23-2003 02:37 AM

The Following User Says Thank You to DGPickett For This Useful Post:
ashokvpp (03-13-2013)