LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-12-2004, 12:30 AM   #1
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Rep: Reputation: 15
iptables + NAT + Port forwarding problem


Hi, I am having some trouble forwarding ports one my Gentoo router. Everything is working great except for the port forwarding. I figure it is probably a stupid mistake, but time is a factor here and I have not been able to come up with my own solution thus far. Any help would be greatly appreciated.

The goal: Forward external ports (eth0 12.215.xxx.xxx) to internal IP addresses (eth1 192.168.1.0/24). I am mainly concerned with port 80.

My current script:
Code:
#----Flush Old Rules----#
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

#----Set Default Policies----#
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#------Turn on NAT------#
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

#----Enable IP forwarding (of incoming packets)----#
echo 1 > /proc/sys/net/ipv4/ip_forward

#----Port Frowarding----#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.4:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2 -j DNAT --to 192.168.1.2:2
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3 -j DNAT --to 192.168.1.3:3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4 -j DNAT --to 192.168.1.4:4

#----NAT Firewall----#
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#----Masq to Gateway----#
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -d 192.168.1.1 -p all -j ACCEPT

#----Net to Local----#
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 3784 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

#----Drop other Junk----#
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p udp --sport 137 --dport 137 -j DROP
Again, any help is greatly appreciated. Thanks.
 
Old 05-12-2004, 03:49 AM   #2
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Rep: Reputation: 15
SirGertrude,

Are you using a Gentoo Linux distribution, or another, such as RedHat?
 
Old 05-12-2004, 06:31 AM   #3
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
try
#iptables -t nat -I PREROUTING ...
instead of
#iptables -t nat -A PREROUTING ..
 
Old 05-12-2004, 12:42 PM   #4
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Original Poster
Rep: Reputation: 15
yes, I am using Gentoo.

I tried using "iptables -t nat -I PREROUTING..." instaid of "iptables -t nat -A PREROUTING..." and had no luck. Thanks for the idea.
 
Old 05-12-2004, 10:09 PM   #5
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Rep: Reputation: 30
Port 80? Seems like you want to serve HTTP requests? Most ISP block this port from the outside. Most of the time you cant get away with it. If you use a different port it should work.
 
Old 05-12-2004, 11:03 PM   #6
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Original Poster
Rep: Reputation: 15
I wondered that also... I set up a webserver on the router and allowed connections to port 80 and was able to connect. I also use ports 2-4 for other traffic, which I am unable to connect to. I am sure it is a problem with my configuration on the linux box itself, but I cannot figure out where.

Thanks for the input.
 
Old 05-13-2004, 02:38 AM   #7
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
try http://iptables-script.dk/index1.php to make sure that the trouble is from iptables.
 
Old 05-13-2004, 09:14 PM   #8
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Original Poster
Rep: Reputation: 15
maxnut,

I went to the website you recommended and had a custom script created. It worked great! I moved several lines from my old script to the new one and it is running beautifully. I compared the two and the only difference I noticed was the default policy "iptables -P FORWARD DROP" in the working script and the order of the commands. I assume one of those issues was causing my problem. Thank you for the help.

BTW... I would highly recommend http://iptables-script.dk/index1.php to others who are attempting to set up a NAT router. I wish I had known about it before I wasted all that time troubleshooting my script.
 
Old 05-14-2004, 02:51 AM   #9
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
he he maxnut?? who is it? my nick is maxut.
i am glad to hear that u solved your trouble.
 
Old 05-14-2004, 05:02 AM   #10
yvesg
Member
 
Registered: May 2004
Distribution: SuSe v9.3 Professional
Posts: 33

Rep: Reputation: 15
perhaps your ISP is blocking acces to the 80 port, to prevent you from running a webserver ...
I know overhere in Belgium, my ISP blocks all ports below 1024, this is also done for security reasons.

try to run your webserver on a higher port, like 2080.

You can also redirect your traffic, so you won't have to reconfigure your webserver. The requests are coming in at 2080, and are beeing redirected to your internal network to port 80.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
NAT and Port Forwarding aq_mishu Linux - Networking 2 09-16-2005 08:58 AM
IPTables port forwarding problem deadlydemon Linux - Security 2 04-25-2005 05:43 PM
NAT Port forwarding problems! nidputerguy Linux - Networking 4 01-31-2004 11:29 AM
IPTables Port Forwarding Problem delusi0n Linux - Networking 0 10-02-2001 02:34 AM


All times are GMT -5. The time now is 07:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration