DNAT and port #5405
Tue, 14 Aug 2001 04:41:24 +1000
Hi Rusty et al.
I have a decent problem (I think) and having spent the last three days
learning quite a bit of stuff about ipchains and then iptables from
scratch, I still can't figure it out. So... help!!!!
The problem is:
I have a Win2K box (sorry) running a program that uses http (port 80) and a
proprietary mechanism on port 5405 to offer a remote demonstration/training
facility via ActiveX and a web browser.
Not wanting to put my Win2K box naked on the internet, I determined to hide
it behind a firewall. To make this work I needed destination NAT to make
184.108.40.206 (eth0) translate to 192.168.0.40 for both ports.
To make this happen, I eventually (after trying ipchains on RH6.2) set up a
RedHat 7.1 box, and then;
enabled ip forwarding:-
echo 1 > /proc/sys/net/ipv4/ip_forward
let my local network get access to the internet via the RH box:-
iptables -t nat -A POSTROUTING -j MASQUERADE
enabled (blanket so I thought) DNAT to send anything coming to 220.127.116.11
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.0.40
However, all I got was the http working, so I could see the page, but the
embedded ActiveX command (which uses port 5405) didn't fire up. I checked
by connecting directly to the 192... network, and it worked fine, so the
problem must be in the DNAT.
I did a tcpdump, but although I could see tons of http (18.104.22.168.http)
going backwards and forwards, and DNAT working nicely, there was not a
single packet using port 5405, ie 22.214.171.124.5405.
In desperation, I tried adding individual rules, with:-
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5405 -j DNAT --to
After a bit, I even added a:-
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5405 -j DNAT --to
just in case!
Still nothing. Port 80, or http, trundling along fine - no sign of port
Finally I noticed /proc/sys/net/ipv4/ip_local_port_range which had a value
of 1024 4999.
Thinking there might be something here (it's called clutching at straws...)
I changed it to read 1024 5499, to include the port 5405 stuff, but to no
avail. I even tried rebooting the entire system, but the ip_local_etc...
changed itself back to 1024 4999, so that was no help.
Can you please assist in any way? I'm up against the wall. I know it's
going to be something very simple, but for the life of me I can't find
it... Of course, all this has taken me all weekend and Monday, as I
religiously try, test, and revert, one thing at a time. Mega tedious!
Thanking in advance anyone who can put me out of my misery.
PS - Product I'm using FYI is NetSupport Manager - www.pci.co.uk.