# iptables not routing correctly

## bonito

Hello, if anyone can help me with this problem I would appreciate it.  I am trying to have users on an external network (the internet) access a server daemon running on an internal machine.  I have had this working previously but now it seems not to work.  Here is what I currently do, can anyone tell me if there is anything else I should do to make it work?

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --dport 123 -i eth0 -j DNAT --to 192.168.10.1:123

iptables -t nat -A PREROUTING -p tcp --dport 124 -i eth0 -j DNAT --to 192.168.10.1:124

iptables -t nat -A PREROUTING -p udp --dport 123 -i eth0 -j DNAT --to 192.168.10.1:123

iptables -t nat -A PREROUTING -p udp --dport 124 -i eth0 -j DNAT --to 192.168.10.1:124

ps I do have all the netfilter options compiled into the kernel and it is a gentoo machine.

----------

## Damasz

I had to enable the way back as well, so my setup is:

/sbin/iptables -t nat -A PREROUTING -i eth0 -d 1.2.3.4 -j DNAT --to-destination 5.6.7.8

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4

The last line should do the trick for you.

----------

## bonito

Thanks for the tip, but actually I found out now that it isnt a case of what I have been typing not working correctly as I have managed to get it working on a mandrake box with the same commands I had used before.  I am now compiling a new kernel with every possible tcp/ip networking option enabled and with all netfilter options enabled and options recommended to be enabled as stated on the netfilter website.  I hope this works, it is critical for me to have this working when it comes to convincing my boss to implement gentoo at the office...and after using mandrake the past year, I WANT Gentoo.

Update: I just recompiled the kernel and tested it, and the routing I am attempting is still not working.  I am at a loss for what to do.

----------

## Scrapz

When you testing it, are you getting someone on the external network (the internet) to test it for you? Because if you test on the internal network, it wont work. The rules are set to listen to the external network for requests and only forwards from the external network. So chances are it working already, you just cant test on the internal network. I suppose you could make rules to forward on the internal network, by duplicating your current rules subsituing eth0 for eth1 - I havnt tried this, my guess is make it messy and even get into loops.

TTFN,

Scrapz  :Wink: 

----------

## klieber

A very, very good iptables tutorial can be found here

--kurt

----------

## hamletmun

HOWTO  - Make your Internet Connection Sharing to work

From ISP to GENTOO - (eth0:DHCP or STATIC IP)

From GENTOO to WINDOWS - (eth1:192.168.0.1)

1.

insmod your.nic.module (i.e. "insmod 3c59x") for both nics if differ

2.

if your ISP uses DHCP, "dhcpcd eth0"

if static, "ifconfig eth0 your.static.ip netmask 255.255.255.0 gateway your.isp.gateway"

Now is time to configure the connection sharing

this is just for kenels greater than 2.4.x with iptables

1.

insmod iptables_nat

2. 

echo 1 >/proc/sys/net/ipv4/ip_forward

3.

iptables -F 

iptables -t nat -F 

iptables -P INPUT ACCEPT 

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD ACCEPT 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(if your linux uses eth0 to connect your isp)

4.

In the Windows Machine:

192.168.0.1 in the gateway

numbers from your /etc/resolv.conf in DNS server

----------

