LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-19-2010, 05:22 AM   #1
leosophy
LQ Newbie
 
Registered: Aug 2010
Location: H.K. SAR
Posts: 11

Rep: Reputation: 0
Unhappy iptables port forward issue


I have a iptables issue, environment as follow:
1, Server R - 192.168.0.1 (ext. router) , ext ip (202.123.123.1)
2, Server W - 192.168.0.21 (web server)

Server R need a NAT.(ipforward)

Server W serve the portforward(port 80) from Server R

I have succesfully setup the prerouting and postrouting via the following iptables command:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

But, my web server's log, all the web request are using Server R's ipaddress 192.168.0.1 for recording(httpd.access log), so I can't get the external ip...

I think it's postrouting problems, but I can't find out the solutions event using SNAT(maybe wrong config), I think the MASQUERADE changing all the source ip.

Please help!!!
 
Old 08-19-2010, 12:08 PM   #2
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by leosophy View Post
I have a iptables issue, environment as follow:
1, Server R - 192.168.0.1 (ext. router) , ext ip (202.123.123.1)
2, Server W - 192.168.0.21 (web server)

Server R need a NAT.(ipforward)

Server W serve the portforward(port 80) from Server R

I have succesfully setup the prerouting and postrouting via the following iptables command:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

But, my web server's log, all the web request are using Server R's ipaddress 192.168.0.1 for recording(httpd.access log), so I can't get the external ip...

I think it's postrouting problems, but I can't find out the solutions event using SNAT(maybe wrong config), I think the MASQUERADE changing all the source ip.

Please help!!!
if server R 192.168.0.1 = eth0 and 202.123.123.1 = eth1

your iptables rule should be

Code:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21

Last edited by TheMadIndian; 08-19-2010 at 12:09 PM.
 
Old 08-19-2010, 12:34 PM   #3
leosophy
LQ Newbie
 
Registered: Aug 2010
Location: H.K. SAR
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy Web guest source address problems..

Thanks TheMadIndian!

My problems is not the PREROUTING, the port forward is no problems.

After doing the port forward, the source ip to web server is "192.168.0.1" which is charging the guest external ip address.

So I think the problem is come from postrouting.

Current script:
Code:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
If I don't use postrouting script
"/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE"
, then web redirection is fail.

So strange..


Quote:
Originally Posted by TheMadIndian View Post
if server R 192.168.0.1 = eth0 and 202.123.123.1 = eth1

your iptables rule should be

Code:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
 
Old 08-19-2010, 01:32 PM   #4
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by leosophy View Post
Thanks TheMadIndian!

My problems is not the PREROUTING, the port forward is no problems.

After doing the port forward, the source ip to web server is "192.168.0.1" which is charging the guest external ip address.

So I think the problem is come from postrouting.

Current script:
Code:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
If I don't use postrouting script
"/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE"
, then web redirection is fail.

So strange..
Can you send me or post your whole script?
 
Old 08-19-2010, 01:37 PM   #5
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
a real quick example

Code:
#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
 
Old 08-19-2010, 01:43 PM   #6
leosophy
LQ Newbie
 
Registered: Aug 2010
Location: H.K. SAR
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy iptables config and nat script

Hi TheMadIndian,

I'm using Fedora release 12 (Constantine).

eth1 = 202.123.123.1
eth0 = 192.168.0.1

iptables script
/etc/sysconfig/iptables
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6844:428603]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
NAT script
Code:
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
Thanks!!

Quote:
Originally Posted by TheMadIndian View Post
Can you send me or post your whole script?

Last edited by leosophy; 08-19-2010 at 01:45 PM.
 
Old 08-19-2010, 01:54 PM   #7
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by leosophy View Post
Hi TheMadIndian,

I'm using Fedora release 12 (Constantine).

eth1 = 202.123.123.1
eth0 = 192.168.0.1

iptables script
/etc/sysconfig/iptables
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6844:428603]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
NAT script
Code:
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
Thanks!!
Not sure how this works

Code:
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
should be

Code:
/sbin/iptables -t nat -A PREROUTING -i eth1 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
 
Old 08-19-2010, 01:54 PM   #8
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Try running the one I posted real quick to see if that resolves the source IP issue
 
Old 08-19-2010, 03:46 PM   #9
leosophy
LQ Newbie
 
Registered: Aug 2010
Location: H.K. SAR
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy Same problems

Finish testing... but fail (Can't redirect to my web server.. 404 error).

But If I change the postrouting script as follow:
Code:
iptables -t nat -A POSTROUTING -j MASQUERADE
After remove "-o eth1", then it can redirect to web server. But still showing the "wrong source ipaddress" from apache log(only 192.168.0.1).

Apache Log:
Code:
192.168.0.1 - - [20/Aug/2010:04:48:35 +0800] "GET / HTTP/1.1" 200 22890
I wanner 192.168.0.1 be a external guest ip address...

Seems the Postrouting changing the source ipaddress. I'm using another router for port forward, it can show the external ip address from my web server...

So strange..

Quote:
Originally Posted by TheMadIndian View Post
a real quick example

Code:
#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21

Last edited by leosophy; 08-19-2010 at 03:49 PM.
 
Old 08-20-2010, 08:57 AM   #10
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by leosophy View Post
Finish testing... but fail (Can't redirect to my web server.. 404 error).

But If I change the postrouting script as follow:
Code:
iptables -t nat -A POSTROUTING -j MASQUERADE
After remove "-o eth1", then it can redirect to web server. But still showing the "wrong source ipaddress" from apache log(only 192.168.0.1).

Apache Log:
Code:
192.168.0.1 - - [20/Aug/2010:04:48:35 +0800] "GET / HTTP/1.1" 200 22890
I wanner 192.168.0.1 be a external guest ip address...

Seems the Postrouting changing the source ipaddress. I'm using another router for port forward, it can show the external ip address from my web server...

So strange..
You're running what I sent you as a script and as root correct?

I just ran that script on F11 and F13 and Centos5 and it works and I'm forwarding currently from my F13 router to a windows IIS6 server
note I did change to port 443 because my ISP doesnt allow port 80 on the cable modem so to test external IP getting through I had to use 443

rule
Code:
ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`
iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 443 -j DNAT --to-destination 192.168.252.35
iis log entry
Code:
2010-08-20 13:45:58 W3SVC1132167246 192.168.252.35 GET /Default.aspx - 443 - 65.206.51.78 Wget/1.12+(linux-gnu) 200 0 0
Send me the output of

service iptables status
 
Old 08-20-2010, 10:46 AM   #11
leosophy
LQ Newbie
 
Registered: Aug 2010
Location: H.K. SAR
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy service iptables status

service iptables status as follow

Some of port forward inside script. Not only web server but also ftp server grep the "router internal ip".

Code:
Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.0.21:80
2    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:80 to:192.168.0.21:80
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112 to:192.168.0.21:21
4    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2112 to:192.168.0.21:21
5    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111 to:192.168.0.253:21
6    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2111 to:192.168.0.253:21

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112
11   DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination


Quote:
Originally Posted by TheMadIndian View Post
You're running what I sent you as a script and as root correct?

I just ran that script on F11 and F13 and Centos5 and it works and I'm forwarding currently from my F13 router to a windows IIS6 server
note I did change to port 443 because my ISP doesnt allow port 80 on the cable modem so to test external IP getting through I had to use 443

rule
Code:
ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`
iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 443 -j DNAT --to-destination 192.168.252.35
iis log entry
Code:
2010-08-20 13:45:58 W3SVC1132167246 192.168.252.35 GET /Default.aspx - 443 - 65.206.51.78 Wget/1.12+(linux-gnu) 200 0 0
Send me the output of

service iptables status
 
Old 08-20-2010, 11:13 AM   #12
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by leosophy View Post
service iptables status as follow

Some of port forward inside script. Not only web server but also ftp server grep the "router internal ip".

Code:
Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.0.21:80
2    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:80 to:192.168.0.21:80
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112 to:192.168.0.21:21
4    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2112 to:192.168.0.21:21
5    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111 to:192.168.0.253:21
6    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2111 to:192.168.0.253:21

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112
11   DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
This is bothering me
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.21:80
2 DNAT tcp -- 0.0.0.0/0 "ext-ip-addr" tcp dpt:80 to:192.168.0.21:80


can you run the script I sent and then send me the output of service iptables status please?
 
Old 08-20-2010, 12:04 PM   #13
leosophy
LQ Newbie
 
Registered: Aug 2010
Location: H.K. SAR
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy Service iptables status (Your script)

Service iptables status (Your script)

Code:
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            202.123.123.1      tcp dpt:80 to:192.168.0.21:80

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Quote:
Originally Posted by TheMadIndian View Post
This is bothering me
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.21:80
2 DNAT tcp -- 0.0.0.0/0 "ext-ip-addr" tcp dpt:80 to:192.168.0.21:80


can you run the script I sent and then send me the output of service iptables status please?
 
Old 08-20-2010, 12:11 PM   #14
leosophy
LQ Newbie
 
Registered: Aug 2010
Location: H.K. SAR
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy About MASQUERADE

Quote from http://www.billauer.co.il/ipmasq-html.html.
14 The wrong way to masquerade
iptables -t nat -A POSTROUTING -j MASQUERADE
This makes masquerading the default policy for any outgoing packet
... including any forwarded packet.
All forwarded packets will appear to come from the masquerading host.
May confuse firewalls
Even worse, may confuse service applications to compromise security

That's why the web redirection is done after running this script. All forwarded packets will appear to come from the masquerading host. So, that's why I only see "192.168.0.1" in all logs..

Even using your script, it's still fail.

Is it the routing problems?



Quote:
Originally Posted by leosophy View Post
Service iptables status (Your script)

Code:
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            202.123.123.1      tcp dpt:80 to:192.168.0.21:80

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
 
Old 08-20-2010, 12:38 PM   #15
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
I just caught this, 202.123.123.1 thats generally a router address, i'd be surprised if thats the address you're getting from the ISP

If eth0 is your local and and eth1 is your internet connection on the router run this

otherwise send me the output of ifconfig

Code:
#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 80 -j DNAT --to-destination 192.168.0.21

If this works we'll need to add some rules to lock things down
 
  


Reply

Tags
iptables, portforward


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables can't port forward (PAT Port address translation) sfrederiksen Linux - Networking 7 12-20-2011 10:47 AM
If I forward a port in iptables, does the port have to be open on the firewall? qwertyjjj Linux - Server 4 08-06-2009 09:22 AM
iptables port forward forbese Suse/Novell 1 02-12-2006 02:35 PM
IPTABLES port Forward abhijeetudas Linux - Networking 1 12-02-2005 04:00 AM
How to port forward with IPTABLES... Scrag Linux - Security 6 12-13-2004 04:57 AM


All times are GMT -5. The time now is 01:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration