5

Port forwarding: Works to other device, but not server

view full story
linux-howto

http://forums.fedoraforum.org – If I forward port 5764 to port 80 to my VOIP device, I can nmap and get a proper connection. If I forward port 5764 to port 22 to my server, it comes up filtered. It even happens if I try forwarding port 80 to my server. So I'm sure it has something to do with my server, but I'm not sure. Here's my Linksys iptables: Code: :wanin - [0:0] -A FORWARD -i vlan1 -j wanin -A wanin  -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT -A wanin  -p udp -m udp -d 192.168.2.8 -m mport --dports 5060,5061 -j ACCEPT -A wanin  -p udp -m udp -d 192.168.2.8 --dport 10000:20000 -j ACCEPT # cat /etc/iptables |grep 80  -A PREROUTING -p tcp  -d xx.xx.xx.xx--dport 5764 -j DNAT --to-destination 192.168.2.2:80 -A POSTROUTING -p tcp --dport 80 -s 192.168.2.1/255.255.255.0 -d 192.168.2.2 -j SNAT --to-source xx.xx.xx.xx -A wanin  -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT # cat /etc/iptables        *mangle :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i vlan1 -d 192.168.2.1/255.255.255.0 -j DROP -A PREROUTING -p udp -s 192.168.2.1/255.255.255.0 ! -d 192.168.2.1/255.255.255.0 --dport 53 -j DNAT --to-destination 192.168.2.1 -A PREROUTING -p icmp -d xx.xx.xx.xx -j DNAT --to-destination 192.168.2.1 -A PREROUTING -p tcp -m tcp  -d xx.xx.xx.xx --dport 56983 -j DNAT --to-destination 192.168.2.1:443 -A PREROUTING  -p tcp -m tcp -d xx.xx.xx.xx --dport 56982 -j DNAT --to-destination 192.168.2.1:22 -A PREROUTING -p tcp  -d xx.xx.xx.xx --dport 5764 -j DNAT --to-destination 192.168.2.2:80 -A POSTROUTING -p tcp --dport 80 -s 192.168.2.1/255.255.255.0 -d 192.168.2.2 -j SNAT --to-source xx.xx.xx.xx -A PREROUTING -p udp  -d xx.xx.xx.xx -m mport --dports 5060,5061 -j DNAT --to-destination 192.168.2.8 -A POSTROUTING -p udp -m mport --dports 5060,5061 -s 192.168.2.1/255.255.255.0 -d 192.168.2.8 -j SNAT --to-source xx.xx.xx.xx -A PREROUTING -p udp  -d xx.xx.xx.xx --dport 10000:20000 -j DNAT --to-destination 192.168.2.8 -A POSTROUTING -p udp --dport 10000:20000 -s 192.168.2.1/255.255.255.0 -d 192.168.2.8 -j SNAT --to-source xx.xx.xx.xx -A POSTROUTING -o vlan1 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i br0 -d 69.92.51.22 -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i br0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp  -m tcp -d 192.168.2.1 --dport 443 -j ACCEPT -A INPUT -p tcp  -m tcp -d 192.168.2.1 --dport 22 -j ACCEPT :FORWARD DROP [0:0] -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -m state --state INVALID -j DROP -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460 :wanin - [0:0] :wanout - [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i vlan1 -j wanin -A FORWARD -o vlan1 -j wanout -A FORWARD -i br0 -j ACCEPT -A wanin  -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT -A wanin  -p udp -m udp -d 192.168.2.8 -m mport --dports 5060,5061 -j ACCEPT -A wanin  -p udp -m udp -d 192.168.2.8 --dport 10000:20000 -j ACCEPT COMMIT And here's my server's iptables: Code: *filter -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ra0 -p tcp -m state --state NEW  --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 20,22,21,25,53,69,80,111,139,161,443,445,631,636 --syn -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 849,875,898,990,2049,8037,9830,32803,51235,56750 --syn -j ACCEPT -A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 20,21,53,67,69,111,123,137,138,161,631,849,875,989 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 990,1812,1813,1900,2049,5353,32769,56750 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *mangle COMMIT *nat -A POSTROUTING -o ra0 -j MASQUERADE COMMIT Thank's for helping (HowTos)