Port forwarding for openfire?

Just installed openfire in DMZ. Using Spark as a client. The server is accessible when connecting to it’'s internal ip (10.1.1.200).

Now, I need to set potr forwarding on the gateway to expose Openfire to the internet. Given that the default FORWARD policy is ALLOW, I issue

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 5222 -j DNAT --to-destination 10.1.1.200 # eth2 is connected to the internet.

Now, specifying external ip in Spark would lead to “Can’'t connect” message.

The port forwarding is set up for :80 on the same gatewa and works w/o probs.

Where’'s the catch?

Thanks.

Having the default policy on FOWRARD be ALLOW is a bit scary, in my opinion. When debugging iptables rules, the best thing you can do is have a LOG rule before every DROP or REJECT. In your case it looks like a REJECT, though. I assume you have a POSTROUTING rule that either does SNAT or MASQUERADE, right? Is it possible that rule is too specific?

You could also try running tcpdump on the firewall (eth2 and on whatever interface the DMZ is connected to) and see where the packets go to give you a better clue. That rule does look correct, so the problem is in one of the other rules.