Sir/Ma'am,
Can u help me, I'm new in security admin. like this,
How do I setup port forwarding in ipchains and iptables.


source host : 192.168.1.59

server : eth0 => 192.168.1.10
eth1 => 192.168.2.1

Destination : 192.168.2.2

Thank you very much.

Take the easy way out. Either of these programs will help you build the ipchanges rules to make a good firewall

webmin or


shorewall

Shorewall is very well documented and easy to implement.

iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80


ipchains does not support forwarding ports, use ipmasqadm and portfw

ipmasqadm portfw -a -P ${PROTOCOL} -L ${LOCAL_IP_ADDR} ${PORT} -R ${DESTINATION_IP_ADDR} {PORT}

ipmasqadm portfw -a -P tcp -L 192.168.1.10 80 -R 192.168.2.2 80

/usr/sbin/ipmasqadm portfw -a -P tcp -L 192.168.1.10 22 -R 192.168.2.2 8888
portfw: setsockopt failed: Invalid argument


8888 = ssh port of 192.168.2.2

Do you have net filter? what kernel is this?

this means that if 192.168.1.10 receives a tcp packet on port 80, it will forward it to 192.168.2.2 port 80, correct?

Sir,
What is netfilter?
What other config do I have to modify?



Kernel :
Linux msme3 2.4.9-e.59smp #1 SMP Mon Jan 24 10:03:54 EST 2005 i686 unknown



Thank you thank you thank you very much for helping me out sir.

I'm from philippines sir, by the way I'm edgardo.

yes, if the traffic comes in on eth0. That will forward traffic to the address given. You can also change ports or just forward the port to another port on the same ip address.
So it depends on what you want to do.



Forget about ipchains and use iptables.

What exactly do you want to do? Redirect traffic to a certain port on one ip to another or forward a port to another port? Or Both?

Netfilter is iptables. Linux firewall

Here are some examples of netfilter port forwarding and some other parts of a firewall script. Please try to understand this before using it blindly. There are many documents on iptables.




#!/bin/sh
LAN1_IP_RANGE="192.168.0.0/24"
LAN1_IP="192.168.0.1/32"
LAN1_BCAST_ADRESS="192.168.0.255/32"

WLAN_IP_RANGE="192.168.1.0/24"
WLAN_IP="192.168.1.1/32"
WLAN_BCAST_ADRESS="192.168.1.255/32"
WLAN2_IP="10.1.0.0/24"
LOCALHOST_IP="127.0.0.1/32"

INET_IFACE="eth1"

LAN1_IFACE="eth0"
WLAN_IFACE="eth2"
DIALUP_IFACE="ppp+"

IPTABLES="/sbin/iptables"

INET_IFACE_IP="www.dcphillips.net"
DIALUP_IP="192.168.0.201"
GAME_HOST_IP="192.168.0.2" #firedragon

/sbin/depmod -a

/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Tables
$IPTABLES -N tcp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -N nat
$IPTABLES -N wlan_packets

# IP Masquerade
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE


# Forward
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WLAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DIALUP_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT


# Squid transparent proxy
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128


# Input
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -i $LAN1_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WLAN_IFACE -j wlan_packets
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $WLAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i lo -j ACCEPT


# Output
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DIALUP_IP -j ACCEPT


# Servers
# ssh
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT
# smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT
# www
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT
# https
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j ACCEPT
# mail
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 465 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 993 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 995 -j ACCEPT


# wlan vpn
$IPTABLES -A wlan_packets -p UDP -s 0/0 --dport 5000 -j ACCEPT
$IPTABLES -A wlan_packets -p ALL -j DROP

# icmp
$IPTABLES -A icmp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP


# Half-Life
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5273 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7002 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27015 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27010 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27012 -j ACCEPT

# Nascar Heat
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2001:2025 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 2001:2025 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP


# Nascar 4
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 32766:32809 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 32766:32809 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP


# MS Gaming Zone

# DirectX 7
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 47624 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 47624 -j ACCEPT

# DirectX 8
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2302:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2302:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 6073 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 6073 -j ACCEPT


$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 6667 -j DNAT --to $GAME_HOST_IP:6667
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 6667 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT


# CLOSE INCOMING TCP
$IPTABLES -A tcp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j DROP

# CLOSE INCOMING UDP
$IPTABLES -A udpincoming_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -j DROP

# CLOSE FORWARD
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -j DROP

# LOG OTHER INPUT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

Sir,
I want a port forwarding.


If 192.168.1.10 received a port 22 it will be forward to 192.168.2.2 port 22.


How do I do that?

Thank you.

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 22 -j DNAT --to 192.168.2.2:22

It works sir,
sir can u explain to me one by one the ff:

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:22

sir, can I limit this by source address, example. I like to NAT only from 192.168.1.1.

sir sorry if I'm so very demanding, I like to learn iptables. sir and do you have sites for iptables tutorials 'basic 1st'

Sir,
Thank you 100x times. thank u thank u.

I hope you'll teach me a lot.

Sir,
How can I payback to your kindness?

How do I set this up as a permanent sir?

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:221

Ex. How do I insert this in /etc/sysconfig/iptables configuration?


Thank you.

Once you issue the command and any others you want then you can save the current iptables setup like this..

two ways with RedHat systems..


iptables-save > /etc/sysconfig/iptables

or this..

service iptables save

If you don't have RedHat let us know what you have