LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables - enable port forwarding from internal network (http://www.linuxquestions.org/questions/linux-networking-3/iptables-enable-port-forwarding-from-internal-network-888401/)

hjalmars 06-26-2011 04:17 AM

iptables - enable port forwarding from internal network
 
I've got a ubuntu server (11.04) installation with routing using iptables running, it all works well, even port forwarding.

Now what I would like to do is enable the "port forwarding" rules on the internal network.

i.e. I have a https-webserver on a internal box at 10.255.72.3:444, I can reach this using https://<domain>:444 perfectly from the outside
And I can reach a Win7 (RDP) machine with <domain>:33891 (translates to 10.255.72.21:3389).

I would like to be able to reach both the https-server and rdp from the inside network using the same addresses, https://<domain>:444 and <domain>:33891.

I know there's a way to accomplish this. I remember on a old opensuse-installation, this was the default behavior.
I installed the new openSUSE to test but they've "disabled" it now.

My setup:
eth0 - Internet
eth1 - 10.255.71.0/24
eth2 - Internal 10.255.72.0/24 (IP: 10.255.72.254)

I've got things working so that I can access the Internet and 10.255.71.0-network from the internal 10.255.72.0.

My ip-tables config:

Code:

# Generated by iptables-save v1.4.10 on Sun Jun 26 10:09:30 2011
*nat
:PREROUTING ACCEPT [21:1994]
:INPUT ACCEPT [17:1685]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.255.72.2
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.255.72.3
-A PREROUTING -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.255.72.254:22
-A PREROUTING -p tcp -m tcp --dport 444 -j DNAT --to-destination 10.255.72.3
-A PREROUTING -p tcp -m tcp --dport 33891 -j DNAT --to-destination 10.255.72.3:3389
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sun Jun 26 10:09:30 2011
# Generated by iptables-save v1.4.10 on Sun Jun 26 10:09:30 2011
*filter
:INPUT ACCEPT [870:75617]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [468:51729]
-A FORWARD -s 10.255.72.0/24 -i eth2 -j ACCEPT
-A FORWARD -d 10.255.72.0/24 -i eth0 -j ACCEPT
-A FORWARD -d 10.255.72.0/24 -i eth1 -j ACCEPT
COMMIT
# Completed on Sun Jun 26 10:09:30 2011

The weird thing about this setup is that I can access the SSH on the router using <domain>:222, both from the outside AND inside! This is the behavior i want on the other port-forwards to. CORRECTION Nope I cannot, I can however reach it with 10.255.72.254:222 from the inside.

Any help appreciated!

lazydog 06-26-2011 12:03 PM

You need to allow FORWARDing of packets from one interface to the other.

hjalmars 06-26-2011 04:25 PM

Quote:

Originally Posted by lazydog (Post 4396183)
You need to allow FORWARDing of packets from one interface to the other.

Thanks for your reply!

Doesn't this allow forwarding of packets to and from 10.255.72.0/24 (eth2)?
Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
31566  18M ACCEPT    all  --  eth2  *      10.255.72.0/24      0.0.0.0/0         
30479 3344K ACCEPT    all  --  eth0  *      0.0.0.0/0            10.255.72.0/24     
    0    0 ACCEPT    all  --  eth1  *      0.0.0.0/0            10.255.72.0/24     
    0    0 ACCEPT    all  --  eth2  *      0.0.0.0/0            10.255.72.0/24

I tested with:
Code:

iptables -P FORWARD ACCEPT
but this didn't change anything (that I noticed) so I reverted to DROP.

Here's my iptables -L -v -n:
Code:

Chain INPUT (policy ACCEPT 36 packets, 4359 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
31684  18M ACCEPT    all  --  eth2  *      10.255.72.0/24      0.0.0.0/0         
30665 3362K ACCEPT    all  --  eth0  *      0.0.0.0/0            10.255.72.0/24     
    0    0 ACCEPT    all  --  eth1  *      0.0.0.0/0            10.255.72.0/24     
    0    0 ACCEPT    all  --  eth2  *      0.0.0.0/0            10.255.72.0/24     

Chain OUTPUT (policy ACCEPT 17 packets, 1068 bytes)
 pkts bytes target    prot opt in    out    source              destination

Here's my iptables -t nat -L -v -n
Code:

Chain PREROUTING (policy ACCEPT 3635 packets, 357K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    9  484 DNAT      tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:3389 to:10.255.72.2
  717 40332 DNAT      tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 to:10.255.72.3
    8  480 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:222 to:10.255.72.254:22
  34  2024 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:444 to:10.255.72.3
    2  120 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:33891 to:10.255.72.3:3389

Chain INPUT (policy ACCEPT 3272 packets, 331K bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 6 packets, 416 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain POSTROUTING (policy ACCEPT 752 packets, 42360 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  413 29657 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0         
    0    0 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0


lazydog 06-27-2011 02:01 PM

You need to tell the system that it is allowed to forward packets. This is done in 2 ways.

Turn on immediately:

Code:

net.ipv4.ip_forward = 1
Always on even after reboot:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
To check the status of forwarding:

Code:

cat /proc/sys/net/ipv4/ip_forward
Then you still need the forward statements in iptables for it to forward also.


All times are GMT -5. The time now is 09:23 PM.