problem with netfilter & portforwarding

Heusden, Folkert van f.v.heusden@ftr.nl
Mon, 11 Jun 2001 11:11:30 +0200 

Hi,

I'm having headaches of netfilter; can't get it to work.
Using kernel 2.4.5.
Situation: pc connected to internet with about 4 ip-
addresses (using ip-aliasing). It's supposed to do
masquearading for eth1 network (eth0 is connected to
the internet). Furthermore, it should forward connections
to port 25 and 110 to a host on the intranet (on eth1).
With the howto's and all I created the following script
which won't work; masquerading works, portforwarding
won't; users from the internet can't connect to either
port 25 or 110.
Anyone out there who can tell me what I'm doing wrong
here?
Thank you.

#!/bin/sh

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/echo 1 > /proc/sys/net/ipv4/tcp_syncookies
/bin/echo 1 > /proc/sys/net/ipv4/tcp_ecn

/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

/usr/local/sbin/iptables -F INPUT
/usr/local/sbin/iptables -F OUTPUT
/usr/local/sbin/iptables -F FORWARD
/usr/local/sbin/iptables -P FORWARD DROP

/usr/local/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/23 -d 0/0 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o eth1 -i eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

/usr/local/sbin/iptables -A INPUT -i eth0 -d 192.168.0.0/24 -j DROP
/usr/local/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 0/0 -j DROP
/usr/local/sbin/iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j DROP
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j
MASQUERADE

# here comes the portforwarding
# I tried both these:
#/usr/local/sbin/iptables -A PREROUTING -t nat -p tcp -d mail.ftr.nl --dport
25 -j DNAT --to 192.168.0.1:25
#/usr/local/sbin/iptables -A PREROUTING -t nat -p tcp -d mail.ftr.nl --dport
110  -j DNAT --to 192.168.0.1:110
#/usr/local/sbin/iptables -A PREROUTING -t nat -p tcp -d mail.ftr.nl --dport
10000 -j DNAT --to 192.168.0.1:80
# and these:
/usr/local/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j
DNAT --to 192.168.0.1:25
/usr/local/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 110 -j
DNAT  --to 192.168.0.1:110
/usr/local/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10000
-j DNAT --to 192.168.0.1:80
# ...none work

# (didn't try the following one)
/usr/local/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 8080