LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 05-06-2005, 10:00 AM   #1
wobbit
LQ Newbie
 
Registered: May 2005
Posts: 2

Rep: Reputation: 0
IPTABLES & Port Forwarding


Hi i'm really new to iptables. I have managed to secure my server, im trying to get server1 to forward port 80 to server2 (my web server on internal network) but it doesnt seem to want to work! any help would be great!

Server1 = 1.1.1.1
Server2 = 2.2.2.2

Heres my iptables config. ANy help woul dbe great thx!

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Adding IP Tables Rules"
iptables="/sbin/iptables"

# Default policy
$iptables -F
$iptables -X
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT

# Filter Chain
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the box to be pinged
#$iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#$iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

$iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i eth0 -j ACCEPT

$iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 80 -d 1.1.1.1 --dport 80 -j DNAT --to-destination 2.2.2.2:80 -v
$iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -d 2.2.2.2 --dport 80 -m state --state NEW -j ACCEPT -v

$iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
#$iptables -A INPUT -i ppp0 -p tcp --dport 3306 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
#$iptables -A INPUT -i ppp0 -p tcp --dport 8080 -j ACCEPT

$iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix "FORWARD packet died: "
$iptables -A INPUT -j LOG --log-level DEBUG --log-prefix "INPUT packet died: "



$iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
 
Old 05-06-2005, 10:31 AM   #2
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
Are you trying to do port forwarding for port 80 connections from the internet?
Since you have 3 interfaces (eth0,1 and ppp0) its a bit confusing.
Also regardless of interfaces specifying both source and destination port as 80 is wrong, because it'll match packets with both source and destination port 80(and generally speaking that won't happen)
If you want to match packets with source port 80, OR destination port 80 you have to use 2 rules.
That been said, you do not need to statically allow these traffic, all you need to do is allowing packets with state "NEW" to destination port 80, and connection tracking(state ESTABLISHED) will take care of the rest.

Last edited by Demonbane; 05-06-2005 at 10:36 AM.
 
Old 05-06-2005, 04:28 PM   #3
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Rep: Reputation: 15
You can get rid of the following two lines:

Code:
$iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
b/c they have already been accepted by the previous statement:

Code:
$iptables -A INPUT -i eth0 -j ACCEPT
and as for port forwarding, as Demonbane mentioned, your rules are a little off. I would remove the lines:

Code:
 $iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 80 -d 1.1.1.1 --dport 80 -j DNAT --to-destination 2.2.2.2:80 -v
$iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -d 2.2.2.2 --dport 80 -m state --state NEW -j ACCEPT -v
and change them to read:

Code:
$iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 2.2.2.2

This will forward all packets from ppp0 with a destination port of 80 to the internal host 2.2.2.2 on port 80. It will also prevent another of your rules from taking effect:

Code:
$iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
No traffic destined for port 80 will make it to the router itself
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
iptables port forwarding MadTurki Linux - Networking 6 01-05-2004 02:03 PM
port forwarding with iptables David_99 Linux - Security 5 12-09-2003 09:37 PM
iptables and port forwarding jamesws Linux - Networking 0 02-10-2002 07:57 PM
Iptables w/port forwarding claytonj25 Linux - Security 8 12-22-2001 09:30 AM


All times are GMT -5. The time now is 01:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration