LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-07-2005, 09:27 PM   #1
ediestajr
LQ Newbie
 
Registered: Feb 2005
Location: Philippines
Posts: 13

Rep: Reputation: 0
IPCHAINS port forwarding and IPTABLES port forwarding


Sir/Ma'am,
Can u help me, I'm new in security admin. like this,
How do I setup port forwarding in ipchains and iptables.


source host : 192.168.1.59

server : eth0 => 192.168.1.10
eth1 => 192.168.2.1

Destination : 192.168.2.2

Thank you very much.
 
Old 02-08-2005, 01:04 AM   #2
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
Take the easy way out. Either of these programs will help you build the ipchanges rules to make a good firewall

webmin or


shorewall

Shorewall is very well documented and easy to implement.
 
Old 02-08-2005, 01:08 AM   #3
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80


ipchains does not support forwarding ports, use ipmasqadm and portfw

ipmasqadm portfw -a -P ${PROTOCOL} -L ${LOCAL_IP_ADDR} ${PORT} -R ${DESTINATION_IP_ADDR} {PORT}

ipmasqadm portfw -a -P tcp -L 192.168.1.10 80 -R 192.168.2.2 80
 
Old 02-10-2005, 07:14 PM   #4
ediestajr
LQ Newbie
 
Registered: Feb 2005
Location: Philippines
Posts: 13

Original Poster
Rep: Reputation: 0
/usr/sbin/ipmasqadm portfw -a -P tcp -L 192.168.1.10 22 -R 192.168.2.2 8888
portfw: setsockopt failed: Invalid argument


8888 = ssh port of 192.168.2.2
 
Old 02-10-2005, 07:32 PM   #5
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
Do you have net filter? what kernel is this?
 
Old 02-10-2005, 07:35 PM   #6
mcd
Member
 
Registered: Aug 2003
Location: Boulder, CO
Distribution: Slackware, RHEL, CentOS
Posts: 825

Rep: Reputation: 33
Quote:
iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80

this means that if 192.168.1.10 receives a tcp packet on port 80, it will forward it to 192.168.2.2 port 80, correct?
 
Old 02-10-2005, 07:40 PM   #7
ediestajr
LQ Newbie
 
Registered: Feb 2005
Location: Philippines
Posts: 13

Original Poster
Rep: Reputation: 0
Sir,
What is netfilter?
What other config do I have to modify?



Kernel :
Linux msme3 2.4.9-e.59smp #1 SMP Mon Jan 24 10:03:54 EST 2005 i686 unknown



Thank you thank you thank you very much for helping me out sir.

I'm from philippines sir, by the way I'm edgardo.
 
Old 02-10-2005, 11:25 PM   #8
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
Quote:
this means that if 192.168.1.10 receives a tcp packet on port 80, it will forward it to 192.168.2.2 port 80, correct?
yes, if the traffic comes in on eth0. That will forward traffic to the address given. You can also change ports or just forward the port to another port on the same ip address.
So it depends on what you want to do.


Quote:
What is netfilter?
What other config do I have to modify?

Forget about ipchains and use iptables.

What exactly do you want to do? Redirect traffic to a certain port on one ip to another or forward a port to another port? Or Both?

Last edited by DavidPhillips; 02-11-2005 at 09:56 AM.
 
Old 02-10-2005, 11:51 PM   #9
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
Netfilter is iptables. Linux firewall

Here are some examples of netfilter port forwarding and some other parts of a firewall script. Please try to understand this before using it blindly. There are many documents on iptables.




#!/bin/sh
LAN1_IP_RANGE="192.168.0.0/24"
LAN1_IP="192.168.0.1/32"
LAN1_BCAST_ADRESS="192.168.0.255/32"

WLAN_IP_RANGE="192.168.1.0/24"
WLAN_IP="192.168.1.1/32"
WLAN_BCAST_ADRESS="192.168.1.255/32"
WLAN2_IP="10.1.0.0/24"
LOCALHOST_IP="127.0.0.1/32"

INET_IFACE="eth1"

LAN1_IFACE="eth0"
WLAN_IFACE="eth2"
DIALUP_IFACE="ppp+"

IPTABLES="/sbin/iptables"

INET_IFACE_IP="www.dcphillips.net"
DIALUP_IP="192.168.0.201"
GAME_HOST_IP="192.168.0.2" #firedragon

/sbin/depmod -a

/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Tables
$IPTABLES -N tcp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -N nat
$IPTABLES -N wlan_packets

# IP Masquerade
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE


# Forward
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WLAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DIALUP_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT


# Squid transparent proxy
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128


# Input
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -i $LAN1_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WLAN_IFACE -j wlan_packets
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $WLAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i lo -j ACCEPT


# Output
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DIALUP_IP -j ACCEPT


# Servers
# ssh
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT
# smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT
# www
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT
# https
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j ACCEPT
# mail
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 465 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 993 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 995 -j ACCEPT


# wlan vpn
$IPTABLES -A wlan_packets -p UDP -s 0/0 --dport 5000 -j ACCEPT
$IPTABLES -A wlan_packets -p ALL -j DROP

# icmp
$IPTABLES -A icmp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP


# Half-Life
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5273 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7002 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27015 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27010 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27012 -j ACCEPT

# Nascar Heat
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2001:2025 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 2001:2025 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP


# Nascar 4
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 32766:32809 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 32766:32809 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP


# MS Gaming Zone

# DirectX 7
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 47624 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 47624 -j ACCEPT

# DirectX 8
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2302:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2302:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 6073 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 6073 -j ACCEPT


$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 6667 -j DNAT --to $GAME_HOST_IP:6667
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 6667 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT


# CLOSE INCOMING TCP
$IPTABLES -A tcp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j DROP

# CLOSE INCOMING UDP
$IPTABLES -A udpincoming_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -j DROP

# CLOSE FORWARD
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -j DROP

# LOG OTHER INPUT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
 
Old 02-11-2005, 12:40 AM   #10
ediestajr
LQ Newbie
 
Registered: Feb 2005
Location: Philippines
Posts: 13

Original Poster
Rep: Reputation: 0
Sir,
I want a port forwarding.


If 192.168.1.10 received a port 22 it will be forward to 192.168.2.2 port 22.


How do I do that?

Thank you.
 
Old 02-11-2005, 05:32 AM   #11
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 22 -j DNAT --to 192.168.2.2:22
 
Old 02-11-2005, 05:48 AM   #12
ediestajr
LQ Newbie
 
Registered: Feb 2005
Location: Philippines
Posts: 13

Original Poster
Rep: Reputation: 0
It works sir,
sir can u explain to me one by one the ff:

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:22

sir, can I limit this by source address, example. I like to NAT only from 192.168.1.1.

sir sorry if I'm so very demanding, I like to learn iptables. sir and do you have sites for iptables tutorials 'basic 1st'

Sir,
Thank you 100x times. thank u thank u.

I hope you'll teach me a lot.

Sir,
How can I payback to your kindness?
 
Old 02-11-2005, 07:10 AM   #13
ediestajr
LQ Newbie
 
Registered: Feb 2005
Location: Philippines
Posts: 13

Original Poster
Rep: Reputation: 0
How do I set this up as a permanent sir?

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:221

Ex. How do I insert this in /etc/sysconfig/iptables configuration?


Thank you.
 
Old 02-11-2005, 09:54 AM   #14
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
Once you issue the command and any others you want then you can save the current iptables setup like this..

two ways with RedHat systems..


iptables-save > /etc/sysconfig/iptables

or this..

service iptables save
 
Old 02-11-2005, 10:01 AM   #15
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
If you don't have RedHat let us know what you have

Last edited by DavidPhillips; 02-11-2005 at 10:04 AM.
 
  


Reply

Tags
iptable


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Port 80 forwarding to port 22 with iptables zahoo Linux - Networking 3 02-22-2005 07:22 AM
IPChains/IPMasqadm Port Forwarding Sonicsone Linux - Networking 8 12-03-2002 01:18 PM
IPChains + port forwarding + redhat 7.2 purduephotog Linux - Networking 2 04-22-2002 04:38 PM
ipchains port forwarding Ratclaws Linux - Security 2 12-04-2001 03:59 AM
Ipchains port forwarding localy yogee Linux - Networking 7 07-16-2001 11:41 AM


All times are GMT -5. The time now is 11:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration