Netfilter 1.2.7a (debian), rule (DNAT) problems

040 madmac@swipnet.se
Wed, 13 Nov 2002 17:41:57 +0100 

Hello.

First of all my configuration is:
Debian Linux 3.0r0 w/ kernel 2.4.18-K7 on a x86 AMD Duron on a via KT133A 
chipset.
The system is configured with two NIC's, namely two 3Com 3C905C 10/100-TX 
PCI networking cards and is acting part as
a server and part as a router. I use it for serving things like web to the 
outside and a router to enable internet access via it
from my lan because my ISP only hands me one IP address. if it's of any 
importance I hand out IP addresses to my lan
via dhcpd, oh yea, it's a switched 10/100 mbit ethernet network.
eth1 (dynamic, 217.208.248.*) is connected to the net and eth0 (static, 
192.168.0.1) is connected to the lan.

I've read the NAT HOWTO on netfilter.org and setted up masquadering like 
(from my ruleset):
-A POSTROUTING -o eth1 -j MASQUERADE
and I've also done the following:
echo 1 > /proc/sys/net/ipv4/ip_forward
and edited /etc/network/options to correspond with the variable ip_forward=yes
Which works fine, I'm able to access the net via all the clients on my LAN 
when using the server as my gateway.

Now I want to add a rule to forward all incoming data on port 4662 (TCP) 
from the internet (eth1) to
a server on my LAN, namely host 192.168.0.7 (via eth0), so I add the 
following rule (under *nat):
-A PREROUTING -p tcp -m tcp -i eth1 --dport 4662 -j DNAT --to-destination 
192.168.0.7:4662

After reloading iptables and trying to connect or scan the port 4662 on my 
external IP, nothing happends, i.e. the port is closed (yes, the
client is listening on 4662 but does not recive any connections from the 
server's eth0 (192.168.0.1)).

Anyone have any ideas for me?

I'm providing a copy of my ruleset made with iptables-save to provide 
additional techincal information:

# Generated by iptables-save v1.2.7a on Sun Nov 10 17:58:44 2002
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth1 --dport 4662 -j DNAT --to-destination 
192.168.0.7:4662
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT


Please note, I've tried to fiddle-around with the rules _alot_ so the above 
is not a specific case of not-working rather than just one out of 100 examples.

Thanks in advance.
Henric Blomgren / Sweden.