problem with port forward & dnat

maidens · February 13, 2009, 1:23pm

for example
192.168.1.1 - internal ip
222.222.222.222 - external ip
1 linux pc + 1 eth interface

eth0 ip 192.168.1.1 + eth0:0 222.222.222.222

all works fine but

i want all trafic coming to 222.222.222.222:80 going to 192.168.1.2:80

iptables rules like this:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 222.222.222.22 --dport 80 -j DNAT --to 192.168.1.2:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.2 --dport 80 -j ACCEPT

but forward port doesnt work
all other ports on 222.222.222.222 i can see from outside

sory for my pure english

ken_yap · February 13, 2009, 2:38pm

Hmm, I’m not sure that portforwarding will work the same way when you have only one interface and using an alias for the second IP address. Why do you need portforwarding? Can’t you just let port 80 through?

maidens · February 13, 2009, 3:24pm

sory but i am dont understand. how i can do this?

ken_yap · February 13, 2009, 3:40pm

Just allow port 80 in the forward table. No DNAT.

maidens · February 13, 2009, 4:17pm

sory but where forward table in opensuse? you meen iptables?
or opensuse has a forward table ?

ken_yap · February 13, 2009, 4:24pm

The FORWARD chain in iptables.

Should you be editing iptables rules if you don’t understand iptables? Maybe you should be using YaST to manage SuSEfirewall2?

maidens · February 13, 2009, 4:43pm

if i right understand i must do like this:

iptables -P FORWARD DROP
iptables -A FORWARD -i eth0:0 -s 192.168.1.2 -p tcp -m multiport --destination-port 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix “FORWARD DROP:”
iptables -A FORWARD -j DROP

but iptables doesnt allow do it with aliases:

Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).

ken_yap · February 14, 2009, 1:03am

So don’t use -i. And shouldn’t it be -d 222.222.222.222, since your packets are coming from the outside?