Why do you use DNAT.., the packet isn't routed anymore please look into using REDIRECT. This is also used to get transit traffic to a local port to support transparent proxies.
See more: http://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html kind regards, Nico On Fri, 20 Aug 2010 08:18:57 -0400, Michael Scheidell <[email protected]> wrote: > noop, that didn't do it. > remember, this is behind a firewall already, iptables isn't doing natting. > > ran system-config-securitylevel-tui > enabled firewall. > > edited /etc/sysconfig/iptables to be what you had (ip's changed) > > restarted iptables: /etc/init.d/iptables restart > > /etc/init.d/iptables status shows: (i changed to tcp so I could test > with telnet) > > /etc/init.d/iptables status > Table: nat > Chain PREROUTING (policy ACCEPT) > num target prot opt source destination > 1 DNAT tcp -- xxx.xxx.xxx.36 0.0.0.0/0 tcp > dpt:5060 to:192.168.0.2:5080 > > Chain POSTROUTING (policy ACCEPT) > num target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > > > > on external host, did a telnet to public ip port 5060: > > /usr/sbin/tshark -tad -s1500 -n -p host xxx.xxx.xxx.36 > 2010-08-20 08:11:33.587745 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532 > > 5060 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=1337361266 TSER=0 > 2010-08-20 08:11:33.587807 192.168.0.2 -> xxx.xxx.xxx.36 TCP 5060 > > 51532 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1084756872 > TSER=1337361266 WS=7 > 2010-08-20 08:11:33.624719 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532 > > 5060 [ACK] Seq=1 Ack=1 Win=66608 Len=0 TSV=1337361298 TSER=1084756872 > > On 8/20/10 5:24 AM, Sven Evensen wrote: >> >> We use iptables on several of our machines to overcome the fact that >> ITSP cannot send on 5060, >> >> works perfectly. Here is our setup: >> >> # Firewall configuration written by system-config-securitylevel >> >> # Manual customization of this file is not recommended. >> >> *nat >> >> :OUTPUT ACCEPT [0:0] >> >> :PREROUTING ACCEPT [0:0] >> >> :POSTROUTING ACCEPT [0:0] >> >> -A PREROUTING -p udp --dport 5060 -s 217.37.32.162 -i eth+ -j DNAT >> --to 10.227.122.31:5080 >> >> COMMIT >> >> ------------------------------------------------------------------------ >> >> *From:* [email protected] >> [mailto:[email protected]] *On Behalf Of *Tony >> Graziano >> *Sent:* 20 August 2010 08:18 >> *To:* Michael Scheidell >> *Cc:* [email protected] users >> *Subject:* Re: [sipx-users] iptables experts: port forwarding. >> >> The startup scriptfor sipx checks to see if iptables is running, >> because it is automatically "problematic" if it is... >> >> On Thu, Aug 19, 2010 at 11:14 PM, Michael Scheidell >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> It just occurred to me that sipx on centos has iptables. maybe not >> active, but its got it. >> >> can I use iptables, internally, without involving natting to do >> selective port forwarding. >> >> example: >> private ip address of 192.168.0.2 sipx.secnap.com >> <http://sipx.secnap.com>. >> public ip of ITSP: 4.2.2.2 >> >> I want to do something like this: >> >> if traffic comes in from source ip 4.2.2.2 to 192.168.0.2:5060 >> <http://192.168.0.2:5060> redirect it to 192.168.0.2:5080 >> <http://192.168.0.2:5080> >> (assuming that the original firewall did the natting. pretend here >> isn't one) >> >> all other traffic to 192.168.0.2:5060 <http://192.168.0.2:5060> goes >> to 192.168.0.2:5080 <http://192.168.0.2:5080> >> all traffic to 192.168.0.2:5080 <http://192.168.0.2:5080> goes to >> 192.168.0.2:5080 <http://192.168.0.2:5080>. >> >> pretend I know lots about freebsd and ipfw and just tonight figures >> out how to type 'iptables --list' >> eg: tutor me. >> I am thinking that if this can be done, it might make life easier for >> people like me and mitchel who can't get the ITSP to send to port 5080. >> >> before I take m live phone system offline, look here, several >> paragraphs down: >> <http://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forwarding-599401/> >> >> they do something like this: >> >> echo 1> /proc/sys/net/ipv4/ip_forward >> iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d >> *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port* >> iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT >> --to-source *router_ip* >> >> >> so, echo 1 > /proc/sys/net/ipv4/ip_forward (might not be needed) >> but >> iptables -t nat -A PREROUTING -p tcp -s 4.2.2.2 -d localhost --dport >> 5060 -j DNAT to localhost:5080 >> >> -- >> Michael Scheidell, CTO >> o: 561-999-5000 >> d: 561-948-2259 >> ISN: 1259*1300 >> > *| *SECNAP Network Security Corporation >> >> * Certified SNORT Integrator >> * 2008-9 Hot Company Award Winner, World Executive Alliance >> * Five-Star Partner Program 2009, VARBusiness >> * Best in Email Security,2010: Network Products Guide >> * King of Spam Filters, SC Magazine 2008 >> >> ------------------------------------------------------------------------ >> >> This email has been scanned and certified safe by SpammerTrap®. >> For Information please see http://www.secnap.com/products/spammertrap/ >> >> ------------------------------------------------------------------------ >> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] <mailto:[email protected]> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> >> -- >> ====================== >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: [email protected] >> <mailto:[email protected]> >> Fax: 434.984.8431 >> >> Email: [email protected] <mailto:[email protected]> >> >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: [email protected] >> <mailto:[email protected]> >> Fax: 434.984.8427 >> >> Helpdesk Contract Customers: >> http://www.myitdepartment.net/gethelp/ >> >> Why do mathematicians always confuse Halloween and Christmas? >> Because 31 Oct = 25 Dec. >> _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
