LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-03-2005, 05:02 AM   #1
NeoTech
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian - 2.4.28Kernel
Posts: 4

Rep: Reputation: 0
IPTables port forwarding..


I'm running a Debian Woody server with Kernel 2.4.28, with iptables hardcoded (not modules)
I have internet on ETH1 and lan on ETH0..

I have a box at LAN IP 192.168.1.30 running webbserver and i want it to be accessible from the outside.. i have made a script that dont work though more than the fact i'm snat'ed out.. but cant get anything in..

Can anyone please look at this and tell me what i have done wrong?? i have tried to make this work for 2 days now..

---- Below follows the script ----
#!/bin/bash
# adjust /proc
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/ip_dynaddr; fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

INET_IP=`ifconfig eth1 | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -d ! $INET_IP -j SNAT --to $INET_IP

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

## WWW Forwarding ...
iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.1.30 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d $INET_IP --dport 80 -j DNAT --to 192.168.1.30:80
---- Script Above ----

Regards // Andreas
 
Old 01-03-2005, 11:56 AM   #2
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi

this is not regarding ur script
but if u would like to try out a IPtables based FW say shorewall(shorewall.net) which will ease off ur load a lot i think
i too found that easy instead of indulgding in these srcipts

regards
 
Old 01-03-2005, 12:27 PM   #3
twsnnva
Member
 
Registered: Oct 2003
Location: Newport News, Va
Distribution: Debian
Posts: 246

Rep: Reputation: 30
Replace
Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d $INET_IP --dport 80 -j DNAT --to 192.168.1.30:80
with this
Code:
iptables -A PREROUTING -t nat -p tcp -d $INET_IP --dport 80 -j DNAT --to-destination 192.168.1.30:80
and put it before this
Code:
iptables -t nat -A POSTROUTING -o eth1 -d ! $INET_IP -j SNAT --to $INET_IP
All of your chains are set to accept so you don't need any of this
Code:
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

## WWW Forwarding ...
iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.1.30 --dport 80 -j ACCEPT
So your script should look like this
Code:
#!/bin/bash
# adjust /proc
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/ip_dynaddr; fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

INET_IP=`ifconfig eth1 | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $INET_IP --dport 80 -j DNAT --to-destination 192.168.1.30:80

iptables -t nat -A POSTROUTING -o eth1 -d ! $INET_IP -j SNAT --to $INET_IP
Thomas
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 11:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
port forwarding with iptables David_99 Linux - Security 5 12-09-2003 09:37 PM
IPTABLES port forwarding sal_paradise42 Linux - Networking 5 10-25-2003 05:11 PM
Iptables - Port Forwarding luivm Linux - Networking 3 05-19-2003 03:30 PM


All times are GMT -5. The time now is 08:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration