DNAT and port #5405

Colin Wilson colin@techni.com.au
Tue, 14 Aug 2001 04:41:24 +1000 

Hi Rusty et al.

I have a decent problem (I think) and having spent the last three days 
learning quite a bit of stuff about ipchains and then iptables from 
scratch, I still can't figure it out.  So... help!!!!

The problem is:

I have a Win2K box (sorry) running a program that uses http (port 80) and a 
proprietary mechanism on port 5405 to offer a remote demonstration/training 
facility via ActiveX and a web browser.

Not wanting to put my Win2K box naked on the internet, I determined to hide 
it behind a firewall.  To make this work I needed destination NAT to make 
203.33.99.20 (eth0) translate to 192.168.0.40 for both ports.

To make this happen, I eventually (after trying ipchains on RH6.2) set up a 
RedHat 7.1 box, and then;

enabled ip forwarding:-
     echo 1 > /proc/sys/net/ipv4/ip_forward

let my local network get access to the internet via the RH box:-
     iptables -t nat -A POSTROUTING -j MASQUERADE

enabled (blanket so I thought) DNAT to send anything coming to 203.33.99.20 
to 192.168.0.40:-
     iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.0.40

However, all I got was the http working, so I could see the page, but the 
embedded ActiveX command (which uses port 5405) didn't fire up.  I checked 
by connecting directly to the 192... network, and it worked fine, so the 
problem must be in the DNAT.

I did a tcpdump, but although I could see tons of http (203.33.99.20.http) 
going backwards and forwards, and DNAT working nicely, there was not a 
single packet using port 5405, ie 203.33.99.20.5405.

In desperation, I tried adding individual rules, with:-
     iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 
192.168.0.40:80
and
     iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5405 -j DNAT --to 
192.168.0.40:5405

After a bit, I even added a:-
     iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5405 -j DNAT --to 
192.168.0.40:5405
just in case!

Still nothing.  Port 80, or http, trundling along fine - no sign of port 
5405 anywhere!!

Finally I noticed /proc/sys/net/ipv4/ip_local_port_range which had a value 
of 1024 4999.

Thinking there might be something here (it's called clutching at straws...) 
I changed it to read 1024 5499, to include the port 5405 stuff, but to no 
avail.  I even tried rebooting the entire system, but the ip_local_etc... 
changed itself back to 1024 4999, so that was no help.

Can you please assist in any way?  I'm up against the wall.  I know it's 
going to be something very simple, but for the life of me I can't find 
it...  Of course, all this has taken me all weekend and Monday, as I 
religiously try, test, and revert, one thing at a time.  Mega tedious!

Thanking in advance anyone who can put me out of my misery.

Colin Wilson.

PS - Product I'm using FYI is NetSupport Manager - www.pci.co.uk.