Problema con iptables e nat... pls help ^^

**Azrael** · 27-11-2008, 13:09

Ciao a tutti,
E' da un po' che cerco/smanetto per una soluzione al mio problema ma senza alcun risultato.

Vado dritto al punto:
ip esterno su eth0 222.222.222.222 (ip di esempio)
ip lan 192.168.102.128

Codice:

# Generated by iptables-save v1.3.6 on Thu Nov 27 13:53:50 2008
*raw
:PREROUTING ACCEPT [208555:49907319]
:OUTPUT ACCEPT [211229:47993044]
COMMIT
# Completed on Thu Nov 27 13:53:50 2008
# Generated by iptables-save v1.3.6 on Thu Nov 27 13:53:50 2008
*nat
:PREROUTING ACCEPT [1323:141155]
:POSTROUTING ACCEPT [206:13055]
:OUTPUT ACCEPT [267:18375]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.102.128:5900 
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8107 -j DNAT --to-destination 192.168.102.128:80 
-A POSTROUTING -o eth0 -j SNAT --to-source 222.222.222.222 
COMMIT
# Completed on Thu Nov 27 13:53:50 2008
# Generated by iptables-save v1.3.6 on Thu Nov 27 13:53:50 2008
*mangle
:PREROUTING ACCEPT [208555:49907319]
:INPUT ACCEPT [207662:49808187]
:FORWARD ACCEPT [24:1228]
:OUTPUT ACCEPT [211229:47993044]
:POSTROUTING ACCEPT [211251:47993820]
COMMIT
# Completed on Thu Nov 27 13:53:50 2008
# Generated by iptables-save v1.3.6 on Thu Nov 27 13:53:50 2008
*filter
:INPUT DROP [190:29771]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [2:452]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 222.222.222.222 -p tcp -m tcp --dport 7432 -j ACCEPT 
-A INPUT -d 222.222.222.222 -p tcp -m tcp --dport 7431 -j ACCEPT 
-A INPUT -d 222.222.222.222 -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -d 192.168.102.128 -i eth0 -p tcp -m tcp --dport 5900 -j ACCEPT 
-A FORWARD -d 192.168.102.128 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
COMMIT
# Completed on Thu Nov 27 13:53:50 2008

In pratica non riesco in alcuna maniera a raggiungere i servizi della rete lan dall'esterno.
Se tolgo tutte le regole e lascio soltanto questo funziona tutto:

Codice:

# Generated by iptables-save v1.3.6 on Thu Nov 27 13:53:50 2008
*nat
:PREROUTING ACCEPT [1323:141155]
:POSTROUTING ACCEPT [206:13055]
:OUTPUT ACCEPT [267:18375]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.102.128:5900 
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8107 -j DNAT --to-destination 192.168.102.128:80 
-A POSTROUTING -o eth0 -j SNAT --to-source 222.222.222.222 
COMMIT
# Completed on Thu Nov 27 13:53:50 2008

Aiutatemi