Port forwarding not working (nfcan: to exclusive)

neil at JAMMConsulting.com neil at JAMMConsulting.com
Sun Apr 29 06:56:33 CEST 2007


Jim:

> The outside should be able to initiate
> so the first rule looks good:
>
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP
> 	-p tcp --sport 1024: --dport 1723
> 	-m state --state NEW,ESTABLISHED -j ACCEPT
>
> But you need to accept the return packets.
> How about this for the return pattern:
>
> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP
> 	-p tcp --sport 1723
> 	-m state --state ESTABLISHED -j ACCEPT

That is my point.  Without this rule, I should see packets
hitting the firewall in the log.  I dont see them.

I can add this rule, but I dont think the return packets are
coming back correctly.

> The accept in the nat postrouting can be removed.

I need that as I also set the nat postrouting to drop
by default.

Would it help to see my entire firewall script?

Thanks,
  Neil

--
Neil Aggarwal
JAMM Consulting, Inc.




More information about the netfilter mailing list