LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-26-2011, 03:17 AM   #1
hjalmars
LQ Newbie
 
Registered: Jan 2006
Posts: 3

Rep: Reputation: 0
Question iptables - enable port forwarding from internal network


I've got a ubuntu server (11.04) installation with routing using iptables running, it all works well, even port forwarding.

Now what I would like to do is enable the "port forwarding" rules on the internal network.

i.e. I have a https-webserver on a internal box at 10.255.72.3:444, I can reach this using https://<domain>:444 perfectly from the outside
And I can reach a Win7 (RDP) machine with <domain>:33891 (translates to 10.255.72.21:3389).

I would like to be able to reach both the https-server and rdp from the inside network using the same addresses, https://<domain>:444 and <domain>:33891.

I know there's a way to accomplish this. I remember on a old opensuse-installation, this was the default behavior.
I installed the new openSUSE to test but they've "disabled" it now.

My setup:
eth0 - Internet
eth1 - 10.255.71.0/24
eth2 - Internal 10.255.72.0/24 (IP: 10.255.72.254)

I've got things working so that I can access the Internet and 10.255.71.0-network from the internal 10.255.72.0.

My ip-tables config:

Code:
# Generated by iptables-save v1.4.10 on Sun Jun 26 10:09:30 2011
*nat
:PREROUTING ACCEPT [21:1994]
:INPUT ACCEPT [17:1685]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.255.72.2 
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.255.72.3 
-A PREROUTING -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.255.72.254:22 
-A PREROUTING -p tcp -m tcp --dport 444 -j DNAT --to-destination 10.255.72.3 
-A PREROUTING -p tcp -m tcp --dport 33891 -j DNAT --to-destination 10.255.72.3:3389 
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Sun Jun 26 10:09:30 2011
# Generated by iptables-save v1.4.10 on Sun Jun 26 10:09:30 2011
*filter
:INPUT ACCEPT [870:75617]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [468:51729]
-A FORWARD -s 10.255.72.0/24 -i eth2 -j ACCEPT 
-A FORWARD -d 10.255.72.0/24 -i eth0 -j ACCEPT 
-A FORWARD -d 10.255.72.0/24 -i eth1 -j ACCEPT 
COMMIT
# Completed on Sun Jun 26 10:09:30 2011
The weird thing about this setup is that I can access the SSH on the router using <domain>:222, both from the outside AND inside! This is the behavior i want on the other port-forwards to. CORRECTION Nope I cannot, I can however reach it with 10.255.72.254:222 from the inside.

Any help appreciated!

Last edited by hjalmars; 06-26-2011 at 04:25 AM.
 
Old 06-26-2011, 11:03 AM   #2
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Kubuntu Sabayon Peppermint
Posts: 46

Rep: Reputation: 4
You need to allow FORWARDing of packets from one interface to the other.
 
Old 06-26-2011, 03:25 PM   #3
hjalmars
LQ Newbie
 
Registered: Jan 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by lazydog View Post
You need to allow FORWARDing of packets from one interface to the other.
Thanks for your reply!

Doesn't this allow forwarding of packets to and from 10.255.72.0/24 (eth2)?
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
31566   18M ACCEPT     all  --  eth2   *       10.255.72.0/24       0.0.0.0/0           
30479 3344K ACCEPT     all  --  eth0   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            10.255.72.0/24
I tested with:
Code:
iptables -P FORWARD ACCEPT
but this didn't change anything (that I noticed) so I reverted to DROP.

Here's my iptables -L -v -n:
Code:
Chain INPUT (policy ACCEPT 36 packets, 4359 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
31684   18M ACCEPT     all  --  eth2   *       10.255.72.0/24       0.0.0.0/0           
30665 3362K ACCEPT     all  --  eth0   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            10.255.72.0/24      
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            10.255.72.0/24      

Chain OUTPUT (policy ACCEPT 17 packets, 1068 bytes)
 pkts bytes target     prot opt in     out     source               destination
Here's my iptables -t nat -L -v -n
Code:
Chain PREROUTING (policy ACCEPT 3635 packets, 357K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9   484 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:10.255.72.2 
  717 40332 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 to:10.255.72.3 
    8   480 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:222 to:10.255.72.254:22 
   34  2024 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:444 to:10.255.72.3 
    2   120 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:33891 to:10.255.72.3:3389 

Chain INPUT (policy ACCEPT 3272 packets, 331K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 416 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 752 packets, 42360 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  413 29657 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
 
Old 06-27-2011, 01:01 PM   #4
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Kubuntu Sabayon Peppermint
Posts: 46

Rep: Reputation: 4
You need to tell the system that it is allowed to forward packets. This is done in 2 ways.

Turn on immediately:

Code:
net.ipv4.ip_forward = 1
Always on even after reboot:

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
To check the status of forwarding:

Code:
cat /proc/sys/net/ipv4/ip_forward
Then you still need the forward statements in iptables for it to forward also.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Port forwarding in Bittorrent client in internal network with nat lgp171188 Linux - Networking 8 04-09-2010 07:29 PM
Port Forwarding Within Internal Network marzak Linux - Networking 5 02-27-2010 10:39 AM
port forwarding to internal web-server using iptables linaru Linux - Networking 3 08-13-2008 03:22 AM
port forwarding to internal network at another location thru lease line milind19 Linux - Networking 1 02-29-2008 08:53 AM
IPTABLES port forwarding to internal network ivanros Linux - Networking 2 12-28-2002 10:19 PM


All times are GMT -5. The time now is 12:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration