0

We run ubuntu on our gateway machine. We have a DNAT iptables rule sending traffic on 80 and 3306 to an internal ip address that runs a webserver. It doesn't work at all.

eth1 is the wan interface, eth0 is the local one

-A INPUT -p tcp -m tcp -m multiport -s 192.168.2.173 -j ACCEPT --dports 25,80,443,465,3306 -A OUTPUT -d 173.201.37.214 -o eth1 -j ACCEPT -A PREROUTING -p tcp -d $EXT_IP -i eth1 --dport 80 -j DNAT --to-destination 192.168.2.173:80 -A PREROUTING -p tcp -d $EXT_IP -i eth1 --dport 3306 -j DNAT --to-destination 192.168.2.173:3306 -A FORWARD -p tcp -d 192.168.2.173 --dport 80 -j ACCEPT
Improve this question
2
  • 3
    That "firewall" is a complete mess. I would probably blow it away and start over. Commented Nov 22, 2013 at 19:46
  • 3
    Just to expand on @MichaelHampton - you are filtering in your NAT table (instead of the FILTER table), there are chains doing nothing, and no commenting (hint: -m comment). As to your original question, the counters on the rules in the PREROUTING chain are 0 - this suggests that the traffic you are expecting to DNAT hasn't even hit the box (or you haven't tested it since you last reset the counters) Commented Nov 22, 2013 at 20:42

3 Answers 3

Reset to default
1

You need the corresponding rules in the filter table to allow the traffic through the filter. The rules you've posted only handle the NAT part.

-A FORWARD -p tcp -d 192.168.2.5 -i eth1 --dport 80 -j ACCEPT -A FORWARD -p tcp -d 192.168.2.5 -i eth1 --dport 3306 -j ACCEPT

EDIT: OP didn't include full output in first post.

Improve this answer
3
  • I edited my answer to include all of the lines from the iptables relevant to our web server Commented Nov 22, 2013 at 13:26
  • 1
    That suggests you have yet more lines, and they can interfere with each other. Could you post instead the entire outputs of iptables -L -n -v and iptables -t nat -L -n -v? Also, the INPUT line currently shown in the question looks to me like it should have -d 192.168.2.173, not -s 192.168.2.173. Commented Nov 22, 2013 at 13:30
  • Updated the question Commented Nov 22, 2013 at 13:39
0

try this:

echo "1" > /proc/sys/net/ipv4/ip_forward

Improve this answer
0
-1

You need POSTROUTING rules as well, for instance

-A POSTROUTING -p tcp -o eth1 -m multiport --sports 80,3306 -s 192.168.2.173 -j SNAT --to-source $EXT_IP
Improve this answer
1
  • Added that but to no avail. Testing http externally still gets me connection refused. Commented Nov 22, 2013 at 14:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.