iptables port forwarding does not work while I have 2 routes

ashokvpp · March 12, 2013, 4:05am

Hi,

On my linux server I have 2 routes:

 Code:
                              nexthop via 123.201.254.5  dev eth0 weight 38     nexthop via 111.93.155.149  dev eth2 weight 36

I have a iptable rule like :

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 123.201.254.7 --dport 84 -j DNAT --to 192.168.1.200:80

Now, when I try to telnet from public it does not work

telnet 123.201.254.7 84
Trying 123.201.254.7...

tcpdump -

[root@firewall ~]# tcpdump -i eth0 -n -n port 84 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 
08:28:26.630850 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1963738 0,nop,wscale 4> 
08:28:29.635321 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1964490 0,nop,wscale 4> 
08:28:35.642453 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1965992 0,nop,wscale 4> 
08:28:47.674757 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1969000 0,nop,wscale 4> 
08:29:11.704090 IP 180.151.36.168.41514 > 123.201.254.7.84: S 3097544796:3097544796(0) win 14600 <mss 1460,sackOK,timestamp 1975008 0,nop,wscale 4>

Could somebody please advise what is missing....

Thanks
Ashok

DGPickett · March 12, 2013, 1:37pm

Funny, first packet normally is syn no ack no fin, response is syn ack, the all ack until fin and fin ack. Is that sackOK a syn, an ack, ???

When the port changes, I look more to portforwarding examples, which are more than one rule. This works if you shut down either ethernet and address the other in the rule?

ashokvpp · March 13, 2013, 1:36am

It works if i just have 1 public and 1 local lan interface.

But, I need to have both ISP's enabled. In my case :

eth0 - ISP1
eth1 - LAN
eth2 - ISP2

Suggest me the iptable rules and how can I do port forward with such setup...

Thanks
Ashok

DGPickett · March 13, 2013, 2:28pm

It seems like you should have a virtual IP or use a router box, so the path is not in your hair. You are forwarding to the IP of one path, and if it is down, I am not sure routing will get there by the other path. If both ISPs support routing to the same IPs, and those IPs are what you are port forwarding from, then the path does not matter.

Regardless, port forwarding in a two interface world is complicated, needs 4 rules: portforwarding - Iptables: forward request on different interfaces and port - Stack Overflow

ashokvpp · March 13, 2013, 9:34pm

Thanks DGPickett

It now works.

DGPickett · March 14, 2013, 1:34pm

It'd be neat if iptables could configure the most popular things like firewall, NAT and port forwarding with one simple line, or a GUI. I mean, if you want b to a out, you want a to b in! There are about zero simplex applications in this world. Sometimes there is outgoing on one LAN and incoming on another!