IPtables port forwarding

**spynappels** · May 16th, 2011

No problem, glad it worked for you!

**YesWeCan** · May 16th, 2011

Erm...you say you are using VPN for this but you are DNAT'ing eth1 rather than tap0.
I notice eth1 does not have an IP - did you include it in the bridge?

**spynappels** · May 16th, 2011

Originally Posted by YesWeCan

Erm...you say you are using VPN for this but you are DNAT'ing eth1 rather than tap0.
I notice eth1 does not have an IP - did you include it in the bridge?

The eth1 IP was obfuscated as it was his public IP. The issue appeared to be a return forwarding issue from his br0 adapter to his eth1 (public) interface.

eth0 and tap0 are the bridged connections, so don't have IPs of their own but rather are bridged, and the br0 interface has the IP, which both constituent adaptors can listen and reply on.

**YesWeCan** · May 16th, 2011

Good thing you understand it

**Stunts** · May 16th, 2011

Originally Posted by spynappels

The eth1 IP was obfuscated as it was his public IP. The issue appeared to be a return forwarding issue from his br0 adapter to his eth1 (public) interface.

eth0 and tap0 are the bridged connections, so don't have IPs of their own but rather are bridged, and the br0 interface has the IP, which both constituent adaptors can listen and reply on.

Exactly.
Also I have just tested with battle.net and it's working 100%.
Thank you once again.

**spynappels** · May 16th, 2011

No problem, thanks for the +1 for membership.

**Stunts** · November 3rd, 2011

Sorry to resurrect such an old post, but at a user's request, I am posting the final configuration file for my server:

Code:

# Generated by iptables-save v1.4.4 on Thu Nov 11 22:39:57 2010
*filter
:INPUT ACCEPT [1249:77284]
:FORWARD ACCEPT [781:46215]
:OUTPUT ACCEPT [1054535:59194653]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 6112 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 6112 -j ACCEPT
-A INPUT -i eth1 -j DROP 
-A INPUT -i tap0 -j ACCEPT 
-A INPUT -i br0 -j ACCEPT
-A FORWARD -i eth1 -p tcp --dport 6112 -j ACCEPT
-A FORWARD -i eth1 -p udp --dport 6112 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i eth1 -o br0 -m conntrack --ctstate NEW -j ACCEPT 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i br0 -j ACCEPT 
-A FORWARD -i br0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Thu Nov 11 22:39:57 2010
# Generated by iptables-save v1.4.4 on Thu Nov 11 22:39:57 2010
*nat
:PREROUTING ACCEPT [3627:1141810]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1044:69692]
-A PREROUTING -i eth1 -p tcp --dport 6112 -j DNAT --to-destination 192.168.2.5:6112
-A PREROUTING -i eth1 -p udp --dport 6112 -j DNAT --to-destination 192.168.2.5:6112
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu Nov 11 22:39:57 2010