My Client: 192.168.1.2 (win2k)
My firewall: 192.168.1.200 (scripte see below)
Webserver 192.168.1.40 (also tried it with 192.168.3.30)
A tcpdump on Port 80 on the webserver(so it actually does forward my port!):
13:15:33.287986 192.168.1.2.1208 > linux.local.http: R 3458148781:3458148781(0) win 0
13:15:36.237986 192.168.1.2.1208 > linux.local.http: S 3458148780:3458148780(0) win 32767 (DF)
13:15:36.237986 linux.local.http > 192.168.1.2.1208: S 4027492602:4027492602(0) ack 3458148781 win 5840 (DF)
etc...(rest looks all the same)
My litte firewall script:
iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40
#Make sure connections for VNC servers are accepted.
iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to 192.168.1.40:80
=====================
What is the difference between:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40
#Make sure connections for VNC servers are accepted.
iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
and:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to 192.168.1.40:80
Tobis wrote:
"And you're missing forward rules to allow the desired traffic (plus the rest you need
for basic connectivity, such as some ICMP, etc..)"
I tought that iptables -P FORWARD ACCEPT does it?!
thank you!
Spiekey
