LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTABLES & Port Forwarding (http://www.linuxquestions.org/questions/linux-networking-3/iptables-and-port-forwarding-320716/)

wobbit 05-06-2005 09:00 AM

IPTABLES & Port Forwarding
 
Hi i'm really new to iptables. I have managed to secure my server, im trying to get server1 to forward port 80 to server2 (my web server on internal network) but it doesnt seem to want to work! any help would be great!

Server1 = 1.1.1.1
Server2 = 2.2.2.2

Heres my iptables config. ANy help woul dbe great thx!

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Adding IP Tables Rules"
iptables="/sbin/iptables"

# Default policy
$iptables -F
$iptables -X
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT

# Filter Chain
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the box to be pinged
#$iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#$iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

$iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i eth0 -j ACCEPT

$iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 80 -d 1.1.1.1 --dport 80 -j DNAT --to-destination 2.2.2.2:80 -v
$iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -d 2.2.2.2 --dport 80 -m state --state NEW -j ACCEPT -v

$iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
#$iptables -A INPUT -i ppp0 -p tcp --dport 3306 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
#$iptables -A INPUT -i ppp0 -p tcp --dport 8080 -j ACCEPT

$iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix "FORWARD packet died: "
$iptables -A INPUT -j LOG --log-level DEBUG --log-prefix "INPUT packet died: "



$iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Demonbane 05-06-2005 09:31 AM

Are you trying to do port forwarding for port 80 connections from the internet?
Since you have 3 interfaces (eth0,1 and ppp0) its a bit confusing.
Also regardless of interfaces specifying both source and destination port as 80 is wrong, because it'll match packets with both source and destination port 80(and generally speaking that won't happen)
If you want to match packets with source port 80, OR destination port 80 you have to use 2 rules.
That been said, you do not need to statically allow these traffic, all you need to do is allowing packets with state "NEW" to destination port 80, and connection tracking(state ESTABLISHED) will take care of the rest.

SirGertrude 05-06-2005 03:28 PM

You can get rid of the following two lines:

Code:

$iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT

b/c they have already been accepted by the previous statement:

Code:

$iptables -A INPUT -i eth0 -j ACCEPT
and as for port forwarding, as Demonbane mentioned, your rules are a little off. I would remove the lines:

Code:

$iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 80 -d 1.1.1.1 --dport 80 -j DNAT --to-destination 2.2.2.2:80 -v
$iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -d 2.2.2.2 --dport 80 -m state --state NEW -j ACCEPT -v

and change them to read:

Code:

$iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 2.2.2.2


This will forward all packets from ppp0 with a destination port of 80 to the internal host 2.2.2.2 on port 80. It will also prevent another of your rules from taking effect:

Code:

$iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
No traffic destined for port 80 will make it to the router itself


All times are GMT -5. The time now is 05:30 AM.