LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 07-10-2003, 08:36 PM   #1
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Rep: Reputation: 30
Unhappy Please help me finish setup IPTABLES,all I need is to forward port 8080


Hi to all,

I've read the tutorials, etc. and now have my IPTABLES doing internet sharing. All I need now is to get port forwarding to work. Right now I'd like to forward port 8080 on the gateway/router to an internal webserver ie. 192.168.100.11:80.

I have pasted the major parts of my rc.firewall script below
-----------------------------------------------------------------------------------
###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N allaccess
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP


#
# allaccess chain
#

$IPTABLES -A allaccess -p TCP -j LOG --log-prefix "Port Forwarding: "
$IPTABLES -A allaccess -p TCP -j ACCEPT


#
# TCP rules
#
#-ftp ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
#-ssh ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
#-http ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#-
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#-squid ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3128 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
#-MSN Messenger ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6891:6901 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1863 -j allowed
#-Kazaa ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1214 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2608 -j allowed
#-Interent Switchboard ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7750:7751 -j allaccess
#-eMule ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 4662 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4662 -j allowed
#-Abyss Web Server
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 8080 -j allaccess


#
# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p UDP -s 0/0 --sport 67 \
--dport 68 -j ACCEPT
fi

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 1863 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 6901 -j ACCEPT
#-Internet Switchboard port
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 7750:7751 -j ACCEPT
#-eMule ports
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4672 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 4672 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "



#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


#
# Forward some ports
#

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE --dport 7750:7751 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $INET_IFACE --dport 7750:7751 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE --dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 4662 -j ACCEPT


#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.4 PREROUTING chain
#
#
#Port forwarding
#

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 7750:7751 -j DNAT --to-dest 192.168.100.12
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport 7750:7751 -j DNAT --to-dest 192.168.100.12
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 4662 -j DNAT --to-dest 192.168.100.11
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 8080 -j DNAT --to-dest 192.168.100.11:80


#
# 4.2.5 POSTROUTING chain
#

if [ $PPPOE_PMTU == "yes" ] ; then
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

-------------------------------------------------------------------------------
Please advise ASAP
Thanks alot.
 
Old 07-18-2003, 10:04 PM   #2
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Somebody....Anybody....HELP!!!!!!
 
Old 07-18-2003, 10:27 PM   #3
chadtce
LQ Newbie
 
Registered: Jul 2003
Location: Kuantan, Pahang, Malaysia
Distribution: Slackware 9.0
Posts: 6

Rep: Reputation: 0
This is what I did for my iptables

Code:
# Allow packets from the LAN to external networks with NAT.
iptables -t nat -A POSTROUTING -o $EXT_ETH -s $LOCAL_NET -j MASQUERADE
                                                                                                                              
# This is the rules for redirecting packets to the external networks with NAT to destination port 3128 on Squid
iptables -t nat -A PREROUTING -i $IN_ETH -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT
I hope this is quite helpful
 
Old 07-18-2003, 10:28 PM   #4
andrew001
Member
 
Registered: Nov 2002
Distribution: Slackware 9.0
Posts: 321

Rep: Reputation: 30
Eh,

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 8080 -j DNAT --to-dest 192.168.100.11:80

looks right to me. All I can think of is to install a firewall generator and compare what it comes up with to what you have there.

Sorry,

Andrew
 
Old 07-18-2003, 10:28 PM   #5
andrew001
Member
 
Registered: Nov 2002
Distribution: Slackware 9.0
Posts: 321

Rep: Reputation: 30
Wow, looks like somebody new : )
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I forward all traffic to 10.10.0.10:80 to 10.10.0.20:8080 using IPtables? abefroman Linux - Networking 1 10-06-2005 03:19 PM
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 08:47 AM
How to port forward with IPTABLES... Scrag Linux - Security 6 12-13-2004 04:57 AM
Allowing connections to port 8080 in iptables apache363 Linux - Software 1 10-12-2004 02:14 PM
Port Forward with iptables nymig94 Linux - Networking 5 12-02-2001 09:22 PM


All times are GMT -5. The time now is 04:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration