iptables nat routing problem

[bonito]

I posted a thread earlier on last week, now I have learned some more and because of it have more information at my disposal and I know what the problem is, but I still need help in fixing it.

Situation: I have pcanywhere running on a lan and want to connect to it over the net through my linux machine. I have successfully done this without a problem with mandrake linux using a shell script. However I have tried another linux distro (Gentoo) on another box with a similar setup, running the same shell script for the iptable rules and with a kernel custom built with all netfilter options enabled. However, when I try to connect through this machine, it will not connect. I then generated log entries and checked both the logs of the working machine vs the non working machine and am given the following information:

working machine:

Jun 25 11:18:58 blitzware kernel: IN=eth0 OUT= MAC=00:50:ba:d4:88:94:00:04:27:ef:28:2d:08:00 SRC=xx.xx.xx.xx DST=yy.yy.yy.yy LEN=30 TOS=0x
00 PREC=0x00 TTL=53 ID=40962 PROTO=UDP SPT=20097 DPT=5632 LEN=10

Jun 25 11:18:58 blitzware kernel: IN=eth0 OUT= MAC=00:50:ba:d4:88:94:00:04:27:ef:28:2d:08:00 SRC=xx.xx.xx.xx DST=yy.yy.yy.yy LEN=52 TOS=0x
00 PREC=0x00 TTL=53 ID=41474 DF PROTO=TCP SPT=20098 DPT=5631 WINDOW=60352 RES=0x00 SYN URGP=0

non-working machine:

Jun 25 09:38:56 mymachine kernel: IN=eth0 OUT= MAC=00:50:ba:23:bb:7d:00:04:27:ef:28:2d:08:00 SRC=xx.xx.xx.xx
DST=yy.yy.yy.yy LEN=30 TOS=0x00 PREC=0x00 TTL=53 ID=24066 PROTO=UDP SPT=19907 DPT=5632 LEN=10

As you can see, for the working machine there are both tcp and udp entries from iptables, but in the non working machine there is no tcp entry. Can anyone help me understand why there isnt, and what I can do to ensure there will be a tcp entry and that tcp will work?

The script I use is simple, as follows:

#!/bin/sh
iptables -F
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 5631 -i eth0 -j LOG --log-level info
iptables -t nat -A PREROUTING -p tcp --dport 5632 -i eth0 -j LOG --log-level info
iptables -t nat -A PREROUTING -p udp --dport 5631 -i eth0 -j LOG --log-level info
iptables -t nat -A PREROUTING -p udp --dport 5632 -i eth0 -j LOG --log-level info
iptables -t nat -A PREROUTING -p tcp --dport 5631 -i eth0 -j DNAT --to 192.168.1.1:5631
iptables -t nat -A PREROUTING -p tcp --dport 5632 -i eth0 -j DNAT --to 192.168.1.1:5632
iptables -t nat -A PREROUTING -p udp --dport 5631 -i eth0 -j DNAT --to 192.168.1.1:5631
iptables -t nat -A PREROUTING -p udp --dport 5632 -i eth0 -j DNAT --to 192.168.1.1:5632

If anyone can help I would appreciate it.

Jeff

[delta407]

pcAnywhere, as I recall, uses UDP to check the status of the listener and upon confirmation establishes a TCP connection inbound. What this sounds like to me is that the pcAnywhere host isn't receiving or responding to the UDP packet -- make sure that the NAT-ing host can talk to your pcAnywhere box and that pcAnywhere is running.

[Nitro]

Let me see if I understand. Is the non-working machine the result of Gentoo as the NAT router, and the working the result of MDK as the router?

If so, could you provide the output of lsmod on the MDK router, and then the lsmod of Gentoo, and information regarding what modules are compile in to your kernel if you compiled them in.
_________________
- Kyle Manna

Please, please SEARCH before posting.

There are three kinds of people in the world: those who can count, and those who can't.