iptables - enable port forwarding from internal network

hjalmars · 06-26-2011, 03:17 AM

I've got a ubuntu server (11.04) installation with routing using iptables running, it all works well, even port forwarding.

Now what I would like to do is enable the "port forwarding" rules on the internal network.

i.e. I have a https-webserver on a internal box at 10.255.72.3:444, I can reach this using https://<domain>:444 perfectly from the outside
And I can reach a Win7 (RDP) machine with <domain>:33891 (translates to 10.255.72.21:3389).

I would like to be able to reach both the https-server and rdp from the inside network using the same addresses, https://<domain>:444 and <domain>:33891.

I know there's a way to accomplish this. I remember on a old opensuse-installation, this was the default behavior.
I installed the new openSUSE to test but they've "disabled" it now.

My setup:
eth0 - Internet
eth1 - 10.255.71.0/24
eth2 - Internal 10.255.72.0/24 (IP: 10.255.72.254)

I've got things working so that I can access the Internet and 10.255.71.0-network from the internal 10.255.72.0.

My ip-tables config:

Code:

# Generated by iptables-save v1.4.10 on Sun Jun 26 10:09:30 2011
*nat
:PREROUTING ACCEPT [21:1994]
:INPUT ACCEPT [17:1685]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.255.72.2 
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.255.72.3 
-A PREROUTING -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.255.72.254:22 
-A PREROUTING -p tcp -m tcp --dport 444 -j DNAT --to-destination 10.255.72.3 
-A PREROUTING -p tcp -m tcp --dport 33891 -j DNAT --to-destination 10.255.72.3:3389 
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Sun Jun 26 10:09:30 2011
# Generated by iptables-save v1.4.10 on Sun Jun 26 10:09:30 2011
*filter
:INPUT ACCEPT [870:75617]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [468:51729]
-A FORWARD -s 10.255.72.0/24 -i eth2 -j ACCEPT 
-A FORWARD -d 10.255.72.0/24 -i eth0 -j ACCEPT 
-A FORWARD -d 10.255.72.0/24 -i eth1 -j ACCEPT 
COMMIT
# Completed on Sun Jun 26 10:09:30 2011

The weird thing about this setup is that I can access the SSH on the router using <domain>:222, both from the outside AND inside! This is the behavior i want on the other port-forwards to. CORRECTION Nope I cannot, I can however reach it with 10.255.72.254:222 from the inside.

Any help appreciated!

lazydog · 06-26-2011, 11:03 AM

You need to allow FORWARDing of packets from one interface to the other.

hjalmars · 06-26-2011, 03:25 PM

Quote:

Originally Posted by lazydog

You need to allow FORWARDing of packets from one interface to the other.

Thanks for your reply!

Doesn't this allow forwarding of packets to and from 10.255.72.0/24 (eth2)?

Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
31566   18M ACCEPT     all  --  eth2   *       10.255.72.0/24       0.0.0.0/0           
30479 3344K ACCEPT     all  --  eth0   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            10.255.72.0/24

I tested with:

Code:

iptables -P FORWARD ACCEPT

but this didn't change anything (that I noticed) so I reverted to DROP.

Here's my iptables -L -v -n:

Code:

Chain INPUT (policy ACCEPT 36 packets, 4359 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
31684   18M ACCEPT     all  --  eth2   *       10.255.72.0/24       0.0.0.0/0           
30665 3362K ACCEPT     all  --  eth0   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            10.255.72.0/24      

Chain OUTPUT (policy ACCEPT 17 packets, 1068 bytes)
 pkts bytes target     prot opt in     out     source               destination

Here's my iptables -t nat -L -v -n

Code:

Chain PREROUTING (policy ACCEPT 3635 packets, 357K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9   484 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:10.255.72.2 
  717 40332 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 to:10.255.72.3 
    8   480 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:222 to:10.255.72.254:22 
   34  2024 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:444 to:10.255.72.3 
    2   120 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:33891 to:10.255.72.3:3389 

Chain INPUT (policy ACCEPT 3272 packets, 331K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 416 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 752 packets, 42360 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  413 29657 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0