Hi R,
Is this diagram below accurate? Also, I take it the 'other computer(s)' at the bottom are 'the internet'?
Are you able to do any rearranging of your setup to test it? i.e. if you remove the Debian firewall and connected your server direct to the router. And/or put a computer between the firewall and router and access the service with it?
My guess is that the packets are making it through, but are not able to make it all the way back. If you're just using DNAT, the returning packets will be addressed to 'other computer(s)' and the firewall mightn't know that it should forward to the router. If you SNAT as well as DNAT then the request would seem to come from the gateway (10.1.1.1 and 10.2.1.1 respectively depending on where in the diagram you look), which might help routing.
Can you run tcpdump on the firewall to see how far the packets are going?
server
10.2.1.15
|
|
10.2.1.1
firewall
10.1.1.77
|
|
10.1.1.1
router
1.2.3.4
|
|
other computer(s)
--
Aaron McDaid
-------------------------------------------------------------------------
RD's original message here (I clicked on the link at http://www.linux.ie/pipermail/ilug/2004-May/014759.html to reply)
Hi all,
I have a static IP (10.2.1.15) on which I need to have both TCP and UDP
ports 5000 appearing to be external! The subnet I'm on has a
firewall(Debian)
with an int IP 10.2.1.1 & ext 10.1.1.77 with gw 10.2.1.1 obviously. The
second firewall/router is a US Robotics ADSL Modem/Router with int IP
10.1.1.1
& ext 1.2.3.4.
When I lived in a house with just a Debian firewall and nothing configured
on
the modem the following worked:
iptables -A FORWARD -p udp -d 10.2.1.15 --dport 5000 -j ACCEPT
iptables -A PREROUTING -t nat -p udp -d fw-ext --dport 5000 -j DNAT --to
10.2.1.15:5000
iptables -A FORWARD -p tcp -d 10.2.1.15 --dport 5000 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d fw-ext --dport 5000 -j DNAT --to
10.2.1.15:5000
I've tried the same commands with fw-ext=10.1.1.77 and setting a 'port range
mapping' on
the modem 10.1.1.77:5000-1.2.3.4:5000 for both UDP/TCP, but to no avail!
Any gurus out there that can help/explain!?
Many thanks,
R
> --
>> Aaron McDaid
> Software Developer
> EBIT WebFocus
> Northbrook Technology Northern Ireland Ltd
> a member of the Allstate Group
> (Ground Floor South East)
> 9, Lanyon Place,
> Belfast,
> Northern Ireland,
> BT1 3LZ.
>> *UK 028 9034 7065
> *INT +44 28 9034 7065
> *FAX 028 9034 6550
> * amc2t at allstate.com>> This e-mail, and any attachment, is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not the views of Northbrook Technology, unless specifically stated.
>>
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
