[SOLVED] IPTABLES port forwarding not working

asteway · 07-22-2016, 06:52 AM

I have the following interfaces configured on my gateway running iptables:

eth0 - 6.7.8.9 (public ip)
eth1 - 10.0.10.1 (Internal LAN)

I want to host a web server on 10.0.10.6 from my internal LAN to be accessible from outside my LAN (the internet) via port 80.

I am assuming I need to forward port 80 on my gateway to port 80 in my internal web server. (please correct me if I am wrong or if I have any other option).

I run the following commands on my gateway to forward and NAT both incoming and outgoing traffic to my web server but I still can't reach my web server from outside.

Code:

iptables -A FORWARD -i eth0 -o eth1 -m state -p tcp -d 10.0.10.6 --dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -p tcp -A PREROUTING -i eth0 --dport 80 -j DNAT --to-destination 10.0.10.6
iptables -t nat -p tcp -o eth0 -A POSTROUTING -s 10.0.10.6 --dport 80 -j SNAT --to-source 6.7.8.9

FYI: I already have ip_forward enabled.
I have no other iptables rules on my gateway.

Thanks for your help

aragorn2101 · 07-22-2016, 07:09 AM

Hi,

What distro is this, please?

asteway · 07-22-2016, 08:28 AM

Thanks for the reply.
It is CentS 6

lazydog · 07-22-2016, 01:04 PM

You should have more rules or at least setup the default profile to drop for safety reasons.
If your external IP is a DHCP address you should use MASQUERADE on the outbound rule.
You should stick to one format for your rules for example;

Code:

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -i eth0 --dport 80 -m conntrack --ctstate NEW -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.10.6

iptables -t nat -A POSTROUTING -p tcp -m tcp -o eth0 -j SNAT --to-source <External IP Address>

My reason for more rules or default to drop is you are open and if this box has any ports open they are also open to the internet.

A rule set I would suggest the following:

Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.10.6

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -i eth0 --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables -A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

Mind you the last OUTPUT rules is not really required but it comes in handy when you are check your connections as it will list all your outbound connections in the db. The above allows everything out no matter where it is coming from on the inside and only allows new connections from the internet to your web server. This is very useful for when you do updates so that the server can request the updates from the repos while blocking all new connection from the internet.

asteway · 07-25-2016, 08:32 AM

Thanks for the comments,

I have applied your rules. But I still can't see my web site from the internet.

I guess the

Code:

iptables -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.10.6

rule isn't working for some reason.

My rules look like this at the moment.

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            ctstate NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http ctstate NEW 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            ctstate NEW,RELATED,ESTABLISHED

smallpond · 07-25-2016, 08:44 AM

Each rule has a counter which you can print with iptables -vL. This is helpful to see where your packets are going.

asteway · 07-25-2016, 10:35 AM

Noted!

iptables -vL

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
   43  9205 ACCEPT     all  --  any    any     anywhere             anywhere            ctstate RELATED,ESTABLISHED 
    1   328 ACCEPT     udp  --  eth1   any     anywhere             anywhere            udp spts:bootps:bootpc dpts:bootps:bootpc 
   17  1188 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain 
    1    52 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain 
  180 27964 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6479 3665K ACCEPT     all  --  any    any     anywhere             anywhere            ctstate RELATED,ESTABLISHED 
 1311  152K ACCEPT     all  --  eth1   any     anywhere             anywhere            ctstate NEW 
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:http ctstate NEW 
   20   860 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 58 packets, 4366 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  180 33653 ACCEPT     all  --  any    any     anywhere             anywhere            ctstate NEW,RELATED,ESTABLISHED

smallpond · 07-25-2016, 09:08 PM

Nothing makes it to the last rule in your INPUT chain because it is after the reject-all rule.

lazydog · 07-26-2016, 10:13 AM

How did your rules change so much from post #5 to post #7? Or are they from 2 different systems?

asteway · 07-26-2016, 11:10 AM

I just added few more rules to open ports for DNS and DHCP internally. Should have no effect on the NAT and FORWARD rules whatsoever. Different tables😜

asteway · 07-26-2016, 11:26 AM

Quote:

Originally Posted by smallpond

Nothing makes it to the last rule in your INPUT chain because it is after the reject-all rule.

Noted! It's now corrected.

lazydog · 07-26-2016, 12:48 PM

Quote:

Originally Posted by asteway

Noted! It's now corrected.

Is it now working?

asteway · 07-26-2016, 01:18 PM

Not yet. I have now noticed telnet works for some ports from outside and dosen't work for others including port 80, telling me there's a firewall on the EPON that connects to the ISP that is blocking some incoming traffic and is turned on by default. I am looking to get support from my ISP in the next few days.

asteway · 08-19-2016, 08:36 AM

This is now working. The problem was as I suspected.
Thanks to all who have contributed.