LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-16-2002, 02:34 AM   #1
Ratclaws
Member
 
Registered: Sep 2001
Location: New York
Distribution: Slackware 8
Posts: 100

Rep: Reputation: 16
Netfilter / iptables - forward port 80


.... Ive seen 90 million different ways to do this, and none of them seem to work right. all i want to do is forward all traffic hitting port 80 to and internal ip address. My current setup uses 2 scripts.

rc.nat
----------
#!/bin/sh



IPTABLES="/usr/sbin/iptables"
INET_IP="216.179.69.105"
LAN_IP="192.168.1.2"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth1"
INET_IFACE="eth0"


/sbin/depmod -a
modprobe iptable_nat
#########
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#########


#/usr/sbin/iptables -P INPUT DROP
#/usr/sbin/iptables -P OUTPUT DROP
#/usr/sbin/iptables -P FORWARD DROP


/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 216.179.69.105

/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
------------------------------------------------

This just gets a nat like filter going, and works fine, havn't had any problems yet.



next is rc.portforward
----------------------------
#!/bin/sh


/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 216.179.69.105 --dport 80 -j DNAT --to 192.168.1.9:80

/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 216.179.69.105 --dport 25 -j DNAT --to 192.168.1.9:25
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 216.179.69.105 --dport 110 -j DNAT --to 192.168.1.9:110

--------------------------

from what i seen, this should do the trick. What i am confused about is that, it does work. Just not all the time. Sometimes it forwards and sometimes it dosn't.

does anyone see any reason why this would not work?






>iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination





>iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere cust-69-105-l132.dyn-adsl.bestweb.nettcp dpt:smtp to:192.168.1.9:25
DNAT tcp -- anywhere cust-69-105-l132.dyn-adsl.bestweb.nettcp dpt:pop3 to:192.168.1.9:110
DNAT tcp -- anywhere cust-69-105-l132.dyn-adsl.bestweb.nettcp dpt:http to:192.168.1.9:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:216.179.69.105
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination






if it makes any difference i am running Slack 8.1 kern-2.4.18
 
Old 10-16-2002, 04:52 AM   #2
bah
Member
 
Registered: Apr 2001
Posts: 38

Rep: Reputation: 15
Can you flush all your rules and just test with the destination natting... ie just have the transparent proxying rule enabled?

/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 216.179.69.105 --dport 80 -j DNAT --to 192.168.1.9:80

I may be way off base here, but I'm just wondering whether the post routing rules are affecting connection tracking.
 
Old 10-17-2002, 09:40 PM   #3
Mr IPtables
LQ Newbie
 
Registered: Oct 2002
Posts: 2

Rep: Reputation: 0
Your rule doesn't work cause the forward chain is dropping the packets after the prerouting.

Here's the rule on a all DROP policy firewall.

iptables -A FORWARD -p tcp -i eth0 -s 0/0 -d 192.168.1.9 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.1.9:80

Mr Iptables.
 
Old 10-17-2002, 10:09 PM   #4
omi
LQ Newbie
 
Registered: Oct 2002
Location: Toronto, Ontario, Canada
Distribution: Debian
Posts: 3

Rep: Reputation: 0
I use ipmasqadm for 2.2 kernel
ipmasqadm portfw -a -P tcp -L external_IP EXTERNAL_PORT -R INTERNAL_IP INTERNAL_PORT

if you need to forward udb
you do "-P udp" instead of "-P tcp"

works all the time
 
Old 10-18-2002, 05:44 AM   #5
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Remove the POSTROUTING MASQUERADE entry.
You can do either Masquerade or SNAT, but not both...
SNAT is better for you if you have a static ip address.
If you don't, how do people find your ip number??

Your POLICYs are all ACCEPT which leaves you wide open to abuse, (now we know your ip number), so get some filtering in there real quick pls.

Regards,
Peter

Last edited by peter_robb; 10-18-2002 at 05:48 AM.
 
Old 10-26-2002, 05:04 PM   #6
Ratclaws
Member
 
Registered: Sep 2001
Location: New York
Distribution: Slackware 8
Posts: 100

Original Poster
Rep: Reputation: 16
thats okay it is a temporary setup. that box is just there to give inet access to a few comps that are properly firewalled. i will try that out though.
 
Old 10-26-2002, 05:14 PM   #7
Ratclaws
Member
 
Registered: Sep 2001
Location: New York
Distribution: Slackware 8
Posts: 100

Original Poster
Rep: Reputation: 16
nope... not working.....
the FORWARD DROP rule is being commented out though, so i dont know why it would drop it.

does any one have a known to be working iptables firewall script that i could look at.
 
Old 10-26-2002, 08:21 PM   #8
Mux
Member
 
Registered: May 2002
Location: Bs.As., Argentina
Distribution: Slackware; Debian; Suse; RedHat
Posts: 66

Rep: Reputation: 15
This is actually working. Should work for you too.

echo -e " - Forwarding for port 80"
$IPTABLES -t nat -A PREROUTING -i 192.168.0.1 -p tcp --dport 80 \
-j DNAT --to 192.168.0.2:80
$IPTABLES -t filter -A FORWARD -i 192.168.0.1 -p tcp -d 192.168.0.2 --dport 80 \
-j ACCEPT

Mux.
 
Old 10-27-2002, 04:08 PM   #9
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Have a look here http://www.netfilter.org/documentati...ials/blueflux/ and find the example script with the LOGGING added.

Then look at "tail -f /var/log/messages" and watch for dropped packets.

Until you can prove packets are entering, forwarded to the server and replies go out etc, we could spend a lot of time doing "this script" vs "that script" just hoping something will work...

Regards,
Peter
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 08:47 AM
IPtables Forward 1 Port to another on the same IP KevinB Linux - Networking 2 01-13-2005 10:56 PM
How to port forward with IPTABLES... Scrag Linux - Security 6 12-13-2004 04:57 AM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 07:07 PM
Port Forward with iptables nymig94 Linux - Networking 5 12-02-2001 09:22 PM


All times are GMT -5. The time now is 10:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration