Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
02-07-2005, 09:27 PM
#1
LQ Newbie
Registered: Feb 2005
Location: Philippines
Posts: 13
Rep:
IPCHAINS port forwarding and IPTABLES port forwarding
Sir/Ma'am,
Can u help me, I'm new in security admin. like this,
How do I setup port forwarding in ipchains and iptables.
source host : 192.168.1.59
server : eth0 => 192.168.1.10
eth1 => 192.168.2.1
Destination : 192.168.2.2
Thank you very much.
02-08-2005, 01:04 AM
#2
Member
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323
Rep:
Take the easy way out. Either of these programs will help you build the ipchanges rules to make a good firewall
webmin or
shorewall
Shorewall is very well documented and easy to implement.
02-08-2005, 01:08 AM
#3
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80
ipchains does not support forwarding ports, use ipmasqadm and portfw
ipmasqadm portfw -a -P ${PROTOCOL} -L ${LOCAL_IP_ADDR} ${PORT} -R ${DESTINATION_IP_ADDR} {PORT}
ipmasqadm portfw -a -P tcp -L 192.168.1.10 80 -R 192.168.2.2 80
02-10-2005, 07:14 PM
#4
LQ Newbie
Registered: Feb 2005
Location: Philippines
Posts: 13
Original Poster
Rep:
/usr/sbin/ipmasqadm portfw -a -P tcp -L 192.168.1.10 22 -R 192.168.2.2 8888
portfw: setsockopt failed: Invalid argument
8888 = ssh port of 192.168.2.2
02-10-2005, 07:32 PM
#5
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
Do you have net filter? what kernel is this?
02-10-2005, 07:35 PM
#6
Member
Registered: Aug 2003
Location: Denver, CO
Distribution: CentOS, Debian
Posts: 825
Rep:
Quote:
iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80
this means that if 192.168.1.10 receives a tcp packet on port 80, it will forward it to 192.168.2.2 port 80, correct?
02-10-2005, 07:40 PM
#7
LQ Newbie
Registered: Feb 2005
Location: Philippines
Posts: 13
Original Poster
Rep:
Sir,
What is netfilter?
What other config do I have to modify?
Kernel :
Linux msme3 2.4.9-e.59smp #1 SMP Mon Jan 24 10:03:54 EST 2005 i686 unknown
Thank you thank you thank you very much for helping me out sir.
I'm from philippines sir, by the way I'm edgardo.
02-10-2005, 11:25 PM
#8
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
Quote:
this means that if 192.168.1.10 receives a tcp packet on port 80, it will forward it to 192.168.2.2 port 80, correct?
yes, if the traffic comes in on eth0. That will forward traffic to the address given. You can also change ports or just forward the port to another port on the same ip address.
So it depends on what you want to do.
Quote:
What is netfilter?
What other config do I have to modify?
Forget about ipchains and use iptables.
What exactly do you want to do? Redirect traffic to a certain port on one ip to another or forward a port to another port? Or Both?
Last edited by DavidPhillips; 02-11-2005 at 09:56 AM .
02-10-2005, 11:51 PM
#9
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
Netfilter is iptables. Linux firewall
Here are some examples of netfilter port forwarding and some other parts of a firewall script. Please try to understand this before using it blindly. There are many documents on iptables.
#!/bin/sh
LAN1_IP_RANGE="192.168.0.0/24"
LAN1_IP="192.168.0.1/32"
LAN1_BCAST_ADRESS="192.168.0.255/32"
WLAN_IP_RANGE="192.168.1.0/24"
WLAN_IP="192.168.1.1/32"
WLAN_BCAST_ADRESS="192.168.1.255/32"
WLAN2_IP="10.1.0.0/24"
LOCALHOST_IP="127.0.0.1/32"
INET_IFACE="eth1"
LAN1_IFACE="eth0"
WLAN_IFACE="eth2"
DIALUP_IFACE="ppp+"
IPTABLES="/sbin/iptables"
INET_IFACE_IP="www.dcphillips.net"
DIALUP_IP="192.168.0.201"
GAME_HOST_IP="192.168.0.2" #firedragon
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Tables
$IPTABLES -N tcp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -N nat
$IPTABLES -N wlan_packets
# IP Masquerade
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
# Forward
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WLAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DIALUP_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
# Squid transparent proxy
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Input
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -i $LAN1_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WLAN_IFACE -j wlan_packets
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $WLAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i lo -j ACCEPT
# Output
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DIALUP_IP -j ACCEPT
# Servers
# ssh
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT
# smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT
# www
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT
# https
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j ACCEPT
# mail
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 465 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 993 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 995 -j ACCEPT
# wlan vpn
$IPTABLES -A wlan_packets -p UDP -s 0/0 --dport 5000 -j ACCEPT
$IPTABLES -A wlan_packets -p ALL -j DROP
# icmp
$IPTABLES -A icmp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP
# Half-Life
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5273 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7002 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27015 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27010 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27012 -j ACCEPT
# Nascar Heat
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2001:2025 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 2001:2025 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP
# Nascar 4
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 32766:32809 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 32766:32809 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP
# MS Gaming Zone
# DirectX 7
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 47624 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 47624 -j ACCEPT
# DirectX 8
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2302:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2302:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 6073 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 6073 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 6667 -j DNAT --to $GAME_HOST_IP:6667
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 6667 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT
# CLOSE INCOMING TCP
$IPTABLES -A tcp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j DROP
# CLOSE INCOMING UDP
$IPTABLES -A udpincoming_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -j DROP
# CLOSE FORWARD
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -j DROP
# LOG OTHER INPUT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
02-11-2005, 12:40 AM
#10
LQ Newbie
Registered: Feb 2005
Location: Philippines
Posts: 13
Original Poster
Rep:
Sir,
I want a port forwarding.
If 192.168.1.10 received a port 22 it will be forward to 192.168.2.2 port 22.
How do I do that?
Thank you.
02-11-2005, 05:32 AM
#11
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 22 -j DNAT --to 192.168.2.2:22
02-11-2005, 05:48 AM
#12
LQ Newbie
Registered: Feb 2005
Location: Philippines
Posts: 13
Original Poster
Rep:
It works sir,
sir can u explain to me one by one the ff:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:22
sir, can I limit this by source address, example. I like to NAT only from 192.168.1.1.
sir sorry if I'm so very demanding, I like to learn iptables. sir and do you have sites for iptables tutorials 'basic 1st'
Sir,
Thank you 100x times. thank u thank u.
I hope you'll teach me a lot.
Sir,
How can I payback to your kindness?
02-11-2005, 07:10 AM
#13
LQ Newbie
Registered: Feb 2005
Location: Philippines
Posts: 13
Original Poster
Rep:
How do I set this up as a permanent sir?
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:221
Ex. How do I insert this in /etc/sysconfig/iptables configuration?
Thank you.
02-11-2005, 09:54 AM
#14
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
Once you issue the command and any others you want then you can save the current iptables setup like this..
two ways with RedHat systems..
iptables-save > /etc/sysconfig/iptables
or this..
service iptables save
02-11-2005, 10:01 AM
#15
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
If you don't have RedHat let us know what you have
Last edited by DavidPhillips; 02-11-2005 at 10:04 AM .
All times are GMT -5. The time now is 08:26 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News