internet -> modem(10.0.0.2) -> linuxEth0(10.0.05) -> linuxEth1(192.168.0.1) -> Xp machine(192.168.0.2)
I want to forward port XXXX to 192.168.0.2:XXX
how do i do that, I have googled and tried many variations on port forwarding with iptables.. i have run the firewall script from connection wizard and i have tried to add the iptables-forward-rules to the /etc/rc.d/rc.firewall file, and the /etc/rc.d/rc.firewall stop and start.. no success.
and i check the port by trying them here: http://connect.majestyc.net/
How to forward a port to an IP address?
How to forward a port to an IP address?
Last edited by MaZZly on Sun 23 Dec 2007, 11:54, edited 3 times in total.
I used the following before I got a router....
put in /etc/rc.d/rc.local
to share the internet amongst a home network.
Never touched the firewall.
seemed to just work...
mike
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forwardto share the internet amongst a home network.
Never touched the firewall.
seemed to just work...
mike
i tried that too (i didn't put those commands in the rc.local though, just activated them through console), but for some reason i could'nt load any site on the networked computers:
http://www.murga-linux.com/puppy/viewtopic.php?t=24541
and btw i want the other ports secured so thats why im having the rc.firewall script activated.
http://www.murga-linux.com/puppy/viewtopic.php?t=24541
and btw i want the other ports secured so thats why im having the rc.firewall script activated.
eth0 is the ethcard connected to router and uses DHCP (i don't want the xp machine through router)
eth1 is the ethcard which the internal network is connected to and it's sharing internet to 192.168.0.1/24
the net is working fine now that i've set it up as i wrote in my other post, the thing i want to know is howto forward a specific port to a specific ip, while keeping the other ports(not forwarded) closed.
eth1 is the ethcard which the internal network is connected to and it's sharing internet to 192.168.0.1/24
the net is working fine now that i've set it up as i wrote in my other post, the thing i want to know is howto forward a specific port to a specific ip, while keeping the other ports(not forwarded) closed.
Last edited by MaZZly on Sat 29 Dec 2007, 10:43, edited 1 time in total.
Is this helpful
http://www.murga-linux.com/puppy/viewto ... 36&t=13975
plus some mention here
http://www.murga-linux.com/puppy/viewto ... 14&t=17609
mike
http://www.murga-linux.com/puppy/viewto ... 36&t=13975
plus some mention here
http://www.murga-linux.com/puppy/viewto ... 14&t=17609
mike
firelog doesnt help me with port forwarding.
what i need is
the iptables commands for port forwarding!
just one example for portforwarding so i can edit and add my own port forwards later on..
and i dont want any suggestions to get another distro made for firewalling/routing. or anything like that, just the iptables help or a program for puppy where i can put in the rules i want..
what i need is
the iptables commands for port forwarding!
just one example for portforwarding so i can edit and add my own port forwards later on..
and i dont want any suggestions to get another distro made for firewalling/routing. or anything like that, just the iptables help or a program for puppy where i can put in the rules i want..
so i tried:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.0.0.5 --dport 33187 -j DNAT --to 192.168.0.2:33187
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 33187 -j ACCEPT
and:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d my.intenet.ip.addresse --dport 33187 -j DNAT --to 192.168.0.2:33187
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 33187 -j ACCEPT
withoiut success, so what am i doing wrong?
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.0.0.5 --dport 33187 -j DNAT --to 192.168.0.2:33187
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 33187 -j ACCEPT
and:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d my.intenet.ip.addresse --dport 33187 -j DNAT --to 192.168.0.2:33187
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 33187 -j ACCEPT
withoiut success, so what am i doing wrong?
Hi,
looks like your 'forward' command is trying to forward the packet via eth0 when it is eth1 that has the 192.168.0.x network.
maybe check the protocol is udp instead of tcp?
iptables man page is here, maybe its a better reference.
http://linux.die.net/man/8/iptables
read up all the option flags, see if they are correct for your network.
check that your iptables filters are what you asked, by listing them using 'iptables --list' command.
check ip tables is loaded in kernel with 'lsmod | grep ip', you should see 'iptables_filter' and 'ip_tables'.
Jesse
looks like your 'forward' command is trying to forward the packet via eth0 when it is eth1 that has the 192.168.0.x network.
maybe check the protocol is udp instead of tcp?
iptables man page is here, maybe its a better reference.
http://linux.die.net/man/8/iptables
read up all the option flags, see if they are correct for your network.
check that your iptables filters are what you asked, by listing them using 'iptables --list' command.
check ip tables is loaded in kernel with 'lsmod | grep ip', you should see 'iptables_filter' and 'ip_tables'.
Jesse
this is my iptables -L now as i have reinstalled puppy and just run the .pup file described here: http://www.murga-linux.com/puppy/viewtopic.php?t=15129
Code: Select all
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT all -- anywhere 192.168.0.0/16
Chain OUTPUT (policy ACCEPT)
target prot opt source destination Hi,
Reading through iptables man page, it seems that the first rule that matches is used, although the wording is not exactly clear on that. Either way, try shifting all the anywhere/anywhere rules to the start or the end of the list.
I'd suggest a trial & error testing, start with a simple setup, with one thing at a time and test it and make sure all the components are working, then add in the next thing and repeat.
set the logging so you can see what rules are taking effect:
iptables --log-level LOG_DEBUG
and watch the log messages when they are generated:
tail -f /var/log/messages
I hope that helps.
I found this page, it has a tutorials section that looks very good.
http://www.netfilter.org/documentation/ ... tation-faq
especially this one:
http://www.justlinux.com/nhf/Security/I ... asics.html
Jesse
Reading through iptables man page, it seems that the first rule that matches is used, although the wording is not exactly clear on that. Either way, try shifting all the anywhere/anywhere rules to the start or the end of the list.
I'd suggest a trial & error testing, start with a simple setup, with one thing at a time and test it and make sure all the components are working, then add in the next thing and repeat.
set the logging so you can see what rules are taking effect:
iptables --log-level LOG_DEBUG
and watch the log messages when they are generated:
tail -f /var/log/messages
I hope that helps.
I found this page, it has a tutorials section that looks very good.
http://www.netfilter.org/documentation/ ... tation-faq
especially this one:
http://www.justlinux.com/nhf/Security/I ... asics.html
Jesse
yeah, I was wondering about those too...
That Basics tutorial sets you up to understand how iptables works, even though it might seem non-relevant and overstating, its very clarifying too 
if you're interested in understanding "why&how" to make it work, its very recomended reading.
Jesse
So the next obvious thing to try is:man iptables wrote:...
Tables
There are currently three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).
-t, --table table
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there.
The tables are as follows:
...
nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
...
Code: Select all
sh-3.00# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
sh-3.00# Jesse