Mailing List Archive: Port Forwarding Question

Hello:

My router has two interfaces: 10.3.3.3 to Internet; 192.168.1.1 to LAN. I
want to forward port 80 to an internal server at 192.168.1.200.

Something ain't workin'. Pertinent iptables -L below. Any suggestions?

# iptables -t nat -L -n ##this list is truncated
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- 172.16.0.0/12 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 10.3.3.1 tcp dpt:80
to:192.168.1.200:80

#iptables -L -n ##this list is truncated
Chain INPUT (policy DROP)
target prot opt source destination
tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.1.255
ACCEPT all -- 0.0.0.0/0 192.168.1.1
ACCEPT all -- 0.0.0.0/0 10.3.3.3 state
RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.1.200 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: '

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.1.1 0.0.0.0/0
ACCEPT all -- 10.3.3.3 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: '

Chain allowed (4 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x0216/0x022
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0

nme

----------------------------------------------
Noah Eiger
nme@earthlink.net
----------------------------------------------

Argh! After much pulling of hair and gnashing of teeth, I discovered a typo!
Moral of the story: don't DNAT to your gateway address!

Sorry for the waste of bandwidth. More (hopefully better) questions soon.

Thanks.

On 7/24/01 8:57 PM, "Noah Eiger" <nme@earthlink.net> wrote:

> Hello:
>
> My router has two interfaces: 10.3.3.3 to Internet; 192.168.1.1 to LAN. I
> want to forward port 80 to an internal server at 192.168.1.200.
>
> Something ain't workin'. Pertinent iptables -L below. Any suggestions?
>
> # iptables -t nat -L -n ##this list is truncated
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DROP all -- 172.16.0.0/12 0.0.0.0/0
> DNAT tcp -- 0.0.0.0/0 10.3.3.1 tcp dpt:80
> to:192.168.1.200:80
>
>
> #iptables -L -n ##this list is truncated
> Chain INPUT (policy DROP)
> target prot opt source destination
> tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 192.168.1.255
> ACCEPT all -- 0.0.0.0/0 192.168.1.1
> ACCEPT all -- 0.0.0.0/0 10.3.3.3 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
> burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 192.168.1.200 tcp dpt:80
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
> burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: '
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 192.168.1.1 0.0.0.0/0
> ACCEPT all -- 10.3.3.3 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
> burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: '
>
> Chain allowed (4 references)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x0216/0x022
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0
>
>
> nme
>
> ----------------------------------------------
> Noah Eiger
> nme@earthlink.net
> ----------------------------------------------
>
>

nme

----------------------------------------------
Noah Eiger
nme@earthlink.net
----------------------------------------------