Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Iptables Nat forward port 29070
Operating Systems Linux Debian Iptables Nat forward port 29070 Post 302598297 by titoms on Tuesday 14th of February 2012 03:44:13 AM
Old 02-14-2012
Iptables Nat forward port 29070
Hello, the Nat and the forward worked on my debian server up to the reboot of machines.

The following rules*:


/sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29070 -j DNAT --to-destination 10.0.1.7:29070
/sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d 10.0.1.7 --dport 29070 --sport 1024:65535 -m state --state NEW -j ACCEPT

Since the reboot, that doesn't work any more.

I have another rules towards one the others server and that her works.


/sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29082 -j DNAT --to-destination 10.0.1.8:29082
/sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d 10.0.1.8 --dport 29082 --sport 1024:65535 -m state --state NEW -j ACCEPT

Thank you for your help .
 

10 More Discussions You Might Find Interesting

1. IP Networking

NAT Packets/Port Openine

Firstly, I have no knowledge of hubs, so please keep any advice simple! I have a UNIX hub, connecting three PCs and would like to know if the hub has NAT translation for incoming packets and if th hub is able to NAT translate packets coming in to a local (internal) LAN address.. (3 Replies)
Discussion started by: MartinD
3 Replies

2. UNIX for Advanced & Expert Users

ssh port forward over three server

Hello there, I have a big problem, and I hope somebody can help me. I try to realize a port forward over three server. Here is a picture... Client Server1 | Server2 ------- ------- | ------- |...... | |...... | | |...... ... (2 Replies)
Discussion started by: Art007
2 Replies

3. IP Networking

port forward & DYNDNS Inquiry

Hi, Is there anyone know how to make port forward? And also, how to set up DYNDNS with router? (1 Reply)
Discussion started by: eel
1 Replies

4. IP Networking

iptables forward public IP, no NAT, Debian i386

Hello all, got kinda problem. Have two machines in LAN, one of them connected to Internet directly, another one must be forwarded through the first one. Masquerading works perfectly, but is not what is needed here. Both machines have public IP addresses, when the second machine is forwarded its... (0 Replies)
Discussion started by: Action
0 Replies

5. Ubuntu

Iptables forward traffic to forward chain!!!

Hi, I am new to linux stuff. I want to use linux iptables to configure rule so that all my incoming traffic with protocol "tcp" is forwarded to the "FORWARD CHAIN". The traffic i am dealing with has destination addresss of my machine but i want to block it from coming to input chain and somehow... (0 Replies)
Discussion started by: arsipk
0 Replies

6. UNIX for Advanced & Expert Users

ipf/ipnat NAT/port forward issues

I've been going crazy trying to get this working. Here's the situation: we have a Solaris 10 box that connects an internal network to an external network. We're using ipf/ipnat on it. We've added a couple of new boxes to the internal network (192.168.1.100, .101) and want to be able to get to port... (1 Reply)
Discussion started by: spakov
1 Replies

7. Red Hat

NAT Loopback and iptables

Hello, please can you help and explain me. I have two servers. Both are RHEL6. I use the first one like router and the second one for apache. Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Discussion started by: 6765656755
0 Replies

8. Cybersecurity

iptables in a NAT scenario

Hi, I am learning IPTables have this question. My server is behind a firewall that does a PAT & NAT to the LAN address. Internet IP: 68.1.1.23 Port: 10022 Server LAN IP: 10.1.1.23 port: 22 Allowed Internet IPs: 131.1.1.23, 132.1.1.23 I want to allow a set of IPs are to be able to... (1 Reply)
Discussion started by: capri_guy84
1 Replies

9. Cybersecurity

Openvpn nat and iptables

good day good people hi first to tell that firewall and vpn is working as expected, but I notice something strange. I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn. I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). ... (0 Replies)
Discussion started by: end
0 Replies

10. Red Hat

Port Forward to VPN client.

Hi all, I can't port forward from WAN to VPN Client. VPN Client Ubuntu 18 192.168.0.16 Port 6000 VPN Gateway for LAN clients Centos 192.168.0.12 Router 192.168.0.1 I can forward to the VPN Client if VPN is not connected if I forward Port 6000 from 192.168.0.1 directly to 192.168.0.16.... (2 Replies)
Discussion started by: stinkefisch
2 Replies

LEARN ABOUT DEBIAN

shorewall-nesting

SHOREWALL-NESTING(5)						  [FIXME: manual]					      SHOREWALL-NESTING(5)

NAME

       nesting - Shorewall Nested Zones

SYNOPSIS

       child-zone[:parent-zone[,parent-zone]...]

DESCRIPTION

       In shorewall-zones[1](5), a zone may be declared to be a sub-zone of one or more other zones using the above syntax. The child-zone may be
       neither the firewall zone nor a vserver zone. The firewall zone may not appear as a parent zone, although all vserver zones are handled as
       sub-zones of the firewall zone.

       Where zones are nested, the CONTINUE policy in shorewall-policy[2](5) allows hosts that are within multiple zones to be managed under the
       rules of all of these zones.

EXAMPLE

       /etc/shorewall/zones:

		   #ZONE    TYPE	OPTION
		   fw	    firewall
		   net	    ipv4
		   sam:net  ipv4
		   loc	    ipv4

       /etc/shorewall/interfaces:

		   #ZONE     INTERFACE	   BROADCAST	 OPTIONS
		   -	     eth0	   detect	 dhcp,norfc1918
		   loc	     eth1	   detect

       /etc/shorewall/hosts:

		   #ZONE     HOST(S)			 OPTIONS
		   net	     eth0:0.0.0.0/0
		   sam	     eth0:206.191.149.197

       /etc/shorewall/policy:

		   #SOURCE	DEST	    POLICY	 LOG LEVEL
		   loc		net	    ACCEPT
		   sam		all	    CONTINUE
		   net		all	    DROP	 info
		   all		all	    REJECT	 info

       The second entry above says that when Sam is the client, connection requests should first be processed under rules where the source zone is
       sam and if there is no match then the connection request should be treated under rules where the source zone is net. It is important that
       this policy be listed BEFORE the next policy (net to all). You can have this policy generated for you automatically by using the
       IMPLICIT_CONTINUE option in shorewall.conf[3](5).

       Partial /etc/shorewall/rules:

		   #ACTION   SOURCE    DEST	       PROTO	DEST PORT(S)
		   ...
		   DNAT      sam       loc:192.168.1.3 tcp	ssh
		   DNAT      net       loc:192.168.1.5 tcp	www
		   ...

       Given these two rules, Sam can connect to the firewall's internet interface with ssh and the connection request will be forwarded to
       192.168.1.3. Like all hosts in the net zone, Sam can connect to the firewall's internet interface on TCP port 80 and the connection request
       will be forwarded to 192.168.1.5. The order of the rules is not significant. Sometimes it is necessary to suppress port forwarding for a
       sub-zone. For example, suppose that all hosts can SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
       firewall's external IP, he should be connected to the firewall itself. Because of the way that Netfilter is constructed, this requires two
       rules as follows:

		   #ACTION   SOURCE    DEST	       PROTO	DEST PORT(S)
		   ...
		   ACCEPT+   sam       $FW	       tcp	ssh
		   DNAT      net       loc:192.168.1.3 tcp	ssh
		   ...

       The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the net zone with the exception of those
       in the "sam" zone should have their connection port forwarded to 192.168.1.3. If you need to exclude more than one zone, simply use
       multiple ACCEPT+ rules. This technique also may be used when the ACTION is REDIRECT.

       Care must be taken when nesting occurs as a result of the use of wildcard interfaces (interface names ends in '+').

       Here's an example.  /etc/shorewall/zones:

       /etc/shorewall/interfaces:

		   #ZONE    INTERFACE	   BROADCAST	    OPTIONS
		   net	    ppp0
		   loc	    eth1
		   loc	    ppp+
		   dmz	    eth2

       Because the net zone is declared before the loc zone, net is an implicit sub-zone of loc and in the absence of a net->... CONTINUE policy,
       traffic from the net zone will not be passed through loc->... rules. But DNAT and REDIRECT rules are an exception!

       o   DNAT and REDIRECT rules generate two Netfilter rules: a 'nat' table rule that rewrites the destination IP address and/or port number,
	   and a 'filter' table rule that ACCEPTs the rewritten connection.

       o   Policies only affect the 'filter' table.

       As a consequence, the following rules will have unexpected behavior:

		   #ACTION     SOURCE		    DEST      PROTO	   DEST
		   #							   PORT(S)
		   ACCEPT      net		    dmz       tcp	   80
		   REDIRECT    loc		    3128      tcp	   80

       The second rule is intended to redirect local web requests to a proxy running on the firewall and listening on TCP port 3128. But the 'nat'
       part of that rule will cause all connection requests for TCP port 80 arriving on interface ppp+ (including ppp0!) to have their destination
       port rewritten to 3128. Hence, the web server running in the DMZ will be inaccessible from the web.

       The above problem can be corrected in several ways.

       The preferred way is to use the ifname pppd option to change the 'net' interface to something other than ppp0. That way, it won't match
       ppp+.

       If you are running Shorewall version 4.1.4 or later, a second way is to simply make the nested zones explicit:

		   #ZONE    TYPE	OPTION
		   fw	    firewall
		   loc	    ipv4
		   net:loc  ipv4
		   dmz	    ipv4

       If you take this approach, be sure to set IMPLICIT_CONTINUE=No in shorewall.conf.

       When using other Shorewall versions, another way is to rewrite the DNAT rule (assume that the local zone is entirely within
       192.168.2.0/23):

		   #ACTION     SOURCE		      DEST	PROTO	   DEST
		   #							   PORT(S)
		   ACCEPT      net		      dmz	tcp	   80
		   REDIRECT    loc:192.168.2.0/23     3128	tcp	   80

       Another way is to restrict the definition of the loc zone:

       /etc/shorewall/interfaces:

		   #ZONE    INTERFACE	   BROADCAST	    OPTIONS
		   net	    ppp0
		   loc	    eth1
		   -	    ppp+
		   dmz	    eth2

       /etc/shorewall/hosts:

		   #ZONE    HOST(S)		OPTIONS
		   loc	    ppp+:192.168.2.0/23

FILES

       /etc/shorewall/zones

       /etc/shorewall/interfaces

       /etc/shorewall/hosts

       /etc/shorewall/policy

       /etc/shorewall/rules

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
       shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
       shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
       shorewall-tunnels(5), shorewall-zones(5)

NOTES

	1. shorewall-zones
	   http://www.shorewall.net/manpages/shorewall-zones.html

	2. shorewall-policy
	   http://www.shorewall.net/manpages/shorewall-policy.html

	3. shorewall.conf
	   http://www.shorewall.net/manpages/shorewall.conf.html

[FIXME: source] 						    06/28/2012						      SHOREWALL-NESTING(5)
All times are GMT -4. The time now is 01:25 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy