All of lore.kernel.org
 help / color / mirror / Atom feed
* problems with port forwarding
@ 2007-02-23 16:07 Andres Baravalle
  2007-02-23 18:19 ` Andres Baravalle
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Andres Baravalle @ 2007-02-23 16:07 UTC (permalink / raw)
  To: netfilter

Hi,
I need to forward a port from one server to another - and I'm having
some trouble.

I have a server (A) and I want connections to port 10022 in server A
to be forwarded to port 22 in server B.

I tough I got the procedure correctly, because it's working using
another server (C) and server B.

Anyway, here are the relevant tables:

iptables -L --line-numbers -t nat

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  anywhere             anywhere            tcp
dpt:ftp to:SERVER_B:22
2    LOG        all  --  anywhere             SERVER_B    LOG level debug

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       tcp  --  anywhere             SERVER_B    tcp dpt:ssh
to:SERVER_A
2    LOG        tcp  --  anywhere             SERVER_B    LOG level debug

iptables -L FORWARD

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere            tcp
flags:!SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     tcp  --  anywhere             SERVER_B    tcp dpt:10022
ACCEPT     all  --  anywhere             anywhere
LOG        tcp  --  anywhere             SERVER_B    LOG level warning

If I connect from server A to localhost, port 10022, it works. If I
connect from any other machine to server A, port 10022, it doesn't.

Any suggestions? I've been looking at this and making tests for a long
time today and I can't find the error.

By the way, I can't see any entries in the log...

   Andres


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: problems with port forwarding
  2007-02-23 16:07 problems with port forwarding Andres Baravalle
@ 2007-02-23 18:19 ` Andres Baravalle
  2007-02-23 18:30 ` Elvir Kuric
  2007-02-23 19:07 ` Silvio Fonseca
  2 siblings, 0 replies; 4+ messages in thread
From: Andres Baravalle @ 2007-02-23 18:19 UTC (permalink / raw)
  To: netfilter

2007/2/23, Andres Baravalle <andres.baravalle@gmail.com>:
> iptables -L FORWARD
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> REJECT     tcp  --  anywhere             anywhere            tcp
> flags:!SYN,RST,ACK/SYN reject-with tcp-reset
> DROP       all  --  anywhere             anywhere            state INVALID
> ACCEPT     tcp  --  anywhere             SERVER_B    tcp dpt:10022
> ACCEPT     all  --  anywhere             anywhere
> LOG        tcp  --  anywhere             SERVER_B    LOG level warning
>
> If I connect from server A to localhost, port 10022, it works. If I
> connect from any other machine to server A, port 10022, it doesn't.

Apparently the problem is in the FORWARD chain.

If I set the default policy to ACCEPT, it will work:

iptables -L FORWARD

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             SERVER_B      tcp dpt:10022
REJECT     tcp  --  anywhere             anywhere            tcp
flags:!SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere

But I don't feel too comfortable having ACCEPT has default value. Any
suggestions?

   Andres


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: problems with port forwarding
  2007-02-23 16:07 problems with port forwarding Andres Baravalle
  2007-02-23 18:19 ` Andres Baravalle
@ 2007-02-23 18:30 ` Elvir Kuric
  2007-02-23 19:07 ` Silvio Fonseca
  2 siblings, 0 replies; 4+ messages in thread
From: Elvir Kuric @ 2007-02-23 18:30 UTC (permalink / raw)
  To: Andres Baravalle, netfilter

Hi Andreas, 

try this, ....implement this rule on machineA

iptables -A INPUT -p tcp --dport 10022 -j DNAT
--to-destination IP_ADDRESS:port(22)

This will allow you to connect to port 22 on wished
machine.
Be sure you allowed ip_forward option at echo 1 >
/proc/sys/net/ipv4/ip_forward 

Best wishes 

Elvir Kuric 



--- Andres Baravalle <andres.baravalle@gmail.com>
wrote:

> Hi,
> I need to forward a port from one server to another
> - and I'm having
> some trouble.
> 
> I have a server (A) and I want connections to port
> 10022 in server A
> to be forwarded to port 22 in server B.
> 
> I tough I got the procedure correctly, because it's
> working using
> another server (C) and server B.
> 
> Anyway, here are the relevant tables:
> 
> iptables -L --line-numbers -t nat
> 
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source              
> destination
> 1    DNAT       tcp  --  anywhere            
> anywhere            tcp
> dpt:ftp to:SERVER_B:22
> 2    LOG        all  --  anywhere            
> SERVER_B    LOG level debug
> 
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source              
> destination
> 1    SNAT       tcp  --  anywhere            
> SERVER_B    tcp dpt:ssh
> to:SERVER_A
> 2    LOG        tcp  --  anywhere            
> SERVER_B    LOG level debug
> 
> iptables -L FORWARD
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere   
>         state
> RELATED,ESTABLISHED
> REJECT     tcp  --  anywhere             anywhere   
>         tcp
> flags:!SYN,RST,ACK/SYN reject-with tcp-reset
> DROP       all  --  anywhere             anywhere   
>         state INVALID
> ACCEPT     tcp  --  anywhere             SERVER_B   
> tcp dpt:10022
> ACCEPT     all  --  anywhere             anywhere
> LOG        tcp  --  anywhere             SERVER_B   
> LOG level warning
> 
> If I connect from server A to localhost, port 10022,
> it works. If I
> connect from any other machine to server A, port
> 10022, it doesn't.
> 
> Any suggestions? I've been looking at this and
> making tests for a long
> time today and I can't find the error.
> 
> By the way, I can't see any entries in the log...
> 
>    Andres
> 
> 



 
____________________________________________________________________________________
Finding fabulous fares is fun.  
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains.
http://farechase.yahoo.com/promo-generic-14795097


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: problems with port forwarding
  2007-02-23 16:07 problems with port forwarding Andres Baravalle
  2007-02-23 18:19 ` Andres Baravalle
  2007-02-23 18:30 ` Elvir Kuric
@ 2007-02-23 19:07 ` Silvio Fonseca
  2 siblings, 0 replies; 4+ messages in thread
From: Silvio Fonseca @ 2007-02-23 19:07 UTC (permalink / raw)
  To: netfilter

Hello Andres,

In your FORWARD rule, you should have destination tcp port 22 instead of 
10022, anyway, since the rule right below is "anywhere to anywhere ACCEPT", 
this shouldn't cause problems.

Regarding the LOGs not appearing, you need to move the LOG rule to be before 
the "action" rule.

Send us back what the logs are showing so we can have a better understanding.

Best Regards

Silvio Fonseca

> I need to forward a port from one server to another - and I'm having
> some trouble.
>
> I have a server (A) and I want connections to port 10022 in server A
> to be forwarded to port 22 in server B.
>
> I tough I got the procedure correctly, because it's working using
> another server (C) and server B.
>
> Anyway, here are the relevant tables:
>
> iptables -L --line-numbers -t nat
>
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination
> 1    DNAT       tcp  --  anywhere             anywhere            tcp
> dpt:ftp to:SERVER_B:22
> 2    LOG        all  --  anywhere             SERVER_B    LOG level debug
>
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source               destination
> 1    SNAT       tcp  --  anywhere             SERVER_B    tcp dpt:ssh
> to:SERVER_A
> 2    LOG        tcp  --  anywhere             SERVER_B    LOG level debug
>
> iptables -L FORWARD
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> REJECT     tcp  --  anywhere             anywhere            tcp
> flags:!SYN,RST,ACK/SYN reject-with tcp-reset
> DROP       all  --  anywhere             anywhere            state INVALID
> ACCEPT     tcp  --  anywhere             SERVER_B    tcp dpt:10022
> ACCEPT     all  --  anywhere             anywhere
> LOG        tcp  --  anywhere             SERVER_B    LOG level warning
>
> If I connect from server A to localhost, port 10022, it works. If I
> connect from any other machine to server A, port 10022, it doesn't.
>
> Any suggestions? I've been looking at this and making tests for a long
> time today and I can't find the error.
>
> By the way, I can't see any entries in the log...
>
>    Andres


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-02-23 19:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-23 16:07 problems with port forwarding Andres Baravalle
2007-02-23 18:19 ` Andres Baravalle
2007-02-23 18:30 ` Elvir Kuric
2007-02-23 19:07 ` Silvio Fonseca

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.