Simon wrote regarding '[SLE] iptables driving me mental' on Wed, Aug 25 at 08:33:
Hi
I am trying to do port forwarding to another machine. It just hangs when I ssh to it. Here are the lines I am using
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.10.106 --dport 41122 -j DNAT --to-destination 192.168.10.186:22
iptables -A FORWARD -d 192.168.10.186 --dport 22 -j ACCEPT
echo > 1 /proc/sys/net/ipv4/ip_forward
The line to connect is:
ssh -p 41122 root@192.168.10.106 and it just times out. I can ssh individually to 192.168.10.106 and to 192.168.10.186 and when I use tcpdump it seems to show that it is looking for the right machines.
When I do an nmap from a different machine it shows the port 41122 as filtered not open.
What am I doing wrong - I have tried just about everything.
Is incoming port 41122 and outgoing port 22 accepted? It sounds like the incoming port 22 is dropping the packet... iptables -I INPUT -i eth0 -p tcp -d 192.168.10.106 --dport 41122 -j ACCEPT and maybe iptables -I OUTPUT -p tcp -d 192.168.10.186 --dport 22 -j ACCEPT Look at the output of "iptables -L" & "iptables -L -t nat" and see if there are any rules that might be dropping the packet at other points. I'm betting that the default rule on the INPUT chain is DROP, though. If you're seeing the connection on 192.168.10.106's syslog, but it times uot anyway, you have a routing problem. 192.168.10.186 needs to be the default route (for return packets) in order for the NAT to work. If it isn't the default route, you'll have to put in an SNAT rule on .186 as well. Post back if that's the case. :) --Danny