LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-25-2005, 03:52 PM   #1
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Rep: Reputation: 30
iptables on router: simple port forwarding not working


Hello

I have managed to get port forwarding working once before, but I cannot get it working this time.

I have a linux router and I have a server inside my local area. I would like to be able to SSH (later use HTTP as well) into this server by port forwarding a port to the server.

I was under the impression that these two lines would have been sufficient:
Code:
iptables --protocol tcp -t nat -A PREROUTING -i ppp0 --dport 1234 -j DNAT --to-destination 10.0.0.2:22
iptables -A FORWARD -i ppp0 -p TCP --dport 1234 -j ACCEPT
But they seem not to be. Can anyone see any reason why that wouldn't work to forward port 1234 to port 22 on the server (10.0.0.2)?

Below is the complete iptables script I use:

Code:
#!/bin/sh

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."


# Enter the designation for the Internal Interface's
INTIF="eth0"

# Enter the NETWORK address the Internal Interface is on
INTNET="10.0.0.0/8"

# Enter the IP address of the Internal Interface
INTIP="10.0.0.1"

EXTIF="ppp0"

EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

# --------  No more variable setting beyond this point  --------


echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "    External interface: $EXTIF"
echo "       External interface IP address is: $EXTIP"
echo "    Loading firewall server rules..."

UNIVERSE="0.0.0.0/0"

# Clear any existing rules and setting default policy to DROP
#iptables -P INPUT DROP
iptables -F INPUT
#iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo -e "     - Loading INPUT rulesets"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT


# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

iptables -A INPUT --in-interface $INTIF -p tcp --destination-port 22 -j ACCEPT
#iptables -A INPUT --in-interface $INTIF -p tcp -m multiport --destination-ports 135,139,445 -j ACCEPT

echo -e "     - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "     - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#          Allow all connections OUT and only existing/related IN

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it

# Enable SNAT (MASQUERADE) functionality on $EXTIF
#iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
iptables -t nat -A POSTROUTING -s $INTNET -j MASQUERADE

iptables --protocol tcp -t nat -A PREROUTING -i ppp0 --dport 1234 -j DNAT --to-destination 10.0.0.2:22
iptables -A FORWARD -i ppp0 -p TCP --dport 1234 -j ACCEPT

echo -e "    Firewall server rule loading complete\n\n"
Thank you in advance for your help.
hamish
 
Old 10-27-2005, 06:06 AM   #2
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Re: iptables on router: simple port forwarding not working

Quote:
Originally posted by hamish
I was under the impression that these two lines would have been sufficient:
Code:
iptables --protocol tcp -t nat -A PREROUTING -i ppp0 --dport 1234 -j DNAT --to-destination 10.0.0.2:22
iptables -A FORWARD -i ppp0 -p TCP --dport 1234 -j ACCEPT
The second line is your problem. Any packet manipulation in the PREROUTING chain is done, well, before the routing decision is made. So after the packets traverse the PREROUTING chain what the rest of the script sees is a packet from the client machine destined for IP 10.0.0.2 tcp port 22. So in the FORWARD chain you need to ACCEPT packets for that destination:
iptables -A FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT

Another thing:
Code:
# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
Are you sure you want this? This makes your firewall accept any connections from any host on the internet, meaning, it's not really a firewall after all. (Well, it is for hosts on your LAN but the firewall box itself is wide open.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 12:08 PM
IPtables port-forwarding not working. Ratclaws Linux - Networking 3 04-12-2005 08:14 AM
iptables port forwarding not working! friendklay Linux - Networking 1 03-23-2005 06:37 AM
Port forwarding with iptables is not working?!! philipina Linux - Networking 1 04-03-2004 03:18 PM
Simple enough...iptables..port forwarding pembo13 Linux - Networking 4 07-19-2003 02:08 AM


All times are GMT -5. The time now is 03:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration