[Firewall] Problem with port forwarding and Arno's firewall

Simon Chollet simon.chollet at gmail.com
Wed Jul 6 18:53:19 CEST 2011


Hi there, 

I have a little problem setting a port forwarding rule with Arno's iptables firewall.   

I want to redirect many connections from a main server (with public IP of course) to other servers having public IPs too. The main server is Ubuntu 11.04. 

The way I was doing that before installing the firewall was:

Check that /proc/sys/net/ipv4/ip_forward is set to '1'
iptables -t nat -A PREROUTING -p tcp --dport 2000 -j DNAT --to-destination X.X.X.X:X (one time per redirection)
iptables -t nat -A POSTROUTING -j MASQUERADE

It was working ok. But of course I needed a firewall on this machine. I tried with ufw but I don't think it's made for fine tuned rules, so I searched another iptables firewall and found Arno's.

The way I'm now trying to set my redirections is in the custom-rules file.   The file content is:

iptables -t nat -A PREROUTING -p tcp --dport 2000 -j DNAT --to-destination X.X.X.X:X
iptables -t nat -A POSTROUTING -j MASQUERADE

If I check the nat rules (using iptables -t nat -L -v) I got:

Chain PREROUTING (policy ACCEPT 559 packets, 57316 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  570 57956 NAT_PREROUTING_CHAIN  all  --  any    any     anywhere             anywhere            
   11   640 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:2000 to:X.X.X.X:X
  559 57316 POST_NAT_PREROUTING_CHAIN  all  --  any    any     anywhere             anywhere            

Chain INPUT (policy ACCEPT 1 packets, 64 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 375 packets, 74438 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  375 74438 NAT_POSTROUTING_CHAIN  all  --  any    any     anywhere             anywhere            
  375 74438 MASQUERADE  all  --  any    any     anywhere             anywhere            
    0     0 POST_NAT_POSTROUTING_CHAIN  all  --  any    any     anywhere             anywhere            

Chain NAT_POSTROUTING_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain NAT_PREROUTING_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_NAT_POSTROUTING_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_NAT_PREROUTING_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination 

I tried to open or close the port (2000 here) in debconf, but I can't have this to work in any way.

Could you please tell me some advice if you see what's wrong? Do I have to enable something more in firewall.conf?

Thanks a lot in advance,

Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20110706/f54ce945/attachment.html>


More information about the Firewall mailing list