[Masq] port forwarding with IPTables

Tue, 21 May 2002 17:49:00 -0700 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */

Hello,

I've just installed a 2.4.x kernel into a box that is set up as a Masq box, and am 
trying to redirect some PCAnywhere ports.  My desire:
    [eth0]                         [eth1]
Incoming (tcp port 5631) -> 192.168.1.11 (tcp port 5631)
Incoming (udp port 5632) -> 192.168.1.11 (udp port 5632) (Machine #1)

Incoming (tcp port 5641) -> 192.168.1.12 (tcp port 5631)
Incoming (udp port 5642) -> 192.168.1.12 (udp port 5632) (Machine #2)

I do this all the time with IPchains and ipmasqadm with no problems.  However, after 
reading the masq howto, the following firewall script doesn't seem to work for machine 
#2 (but works for machine
#1):

echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -F FORWARD
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Machine #1
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 5631 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 5631 -j DNAT --to 
192.168.1.11:5631
iptables -A PREROUTING -t nat -p udp -d $extip --dport 5632 -j DNAT --to 
192.168.1.11:5632

# Machine #2
iptables -A FORWARD -i eth0 -o eth2 -p tcp --dport 5641 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -p udp --dport 5642 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 5641 -j DNAT --to 
192.168.1.12:5631
iptables -A PREROUTING -t nat -p udp -d $extip --dport 5642 -j DNAT --to 
192.168.1.12:5632

What am I missing?

Also, I noticed that if I change the ip address of 192.168.1.11 to something else 
(like to 192.168.1.12 to test it), it still gets forwarded to the .11 machine.  Is 
something not getting flushed
properly?

Bob
_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to