Home / user-73369

demonbane's questions

Martin Hope
demonbane
Asked: 2011-09-08 19:18:21 +0800 CST
  • 4

I'm hoping there's something obvious I've missed here. I have NAT rules set up to forward a few different ports to an internal machine. When a request comes in from the internet, everything works as planned.

However, if I hit my external IP from inside the network with the same port, the request terminates at the firewall machine instead of being forwarded to the right place.

Is there something obvious that I'm doing wrong? The generated iptables rules are below.

# Generated by iptables-save v1.4.4 on Wed Sep  7 20:36:37 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Cid4488E49C.0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 10.0.0.11/32 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -s XXX.XXX.XXX.XXX/32 -m state --state NEW -j ACCEPT 
-A INPUT -s 10.0.0.1/32 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT 
-A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT 
-A FORWARD -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT 
-A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -m state --state NEW -j ACCEPT 
-A OUTPUT -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j Cid4488E49C.0 
-A OUTPUT -p udp -m udp --dport 67 -m state --state NEW -j Cid4488E49C.0 
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT 
-A OUTPUT -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT 
-A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A OUTPUT -j DROP 
-A Cid4488E49C.0 -d XXX.XXX.XXX.XXX/32 -j ACCEPT 
-A Cid4488E49C.0 -d 10.0.0.1/32 -j ACCEPT 
COMMIT
# Completed on Wed Sep  7 20:36:37 2011
# Generated by iptables-save v1.4.4 on Wed Sep  7 20:36:37 2011
*nat
:PREROUTING ACCEPT [114:15633]
:POSTROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [1:48]
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050 
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900 
-A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE 
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050 
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900 
COMMIT
# Completed on Wed Sep  7 20:36:37 2011
nat iptables fwbuilder