LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   port forwarding trials and tribulations (https://www.linuxquestions.org/questions/linux-networking-3/port-forwarding-trials-and-tribulations-134245/)

BenGroeneveld 01-13-2004 02:25 AM
port forwarding trials and tribulations
 
I got my firewall working satisfactory, or so it seems, but I cannot get port forwarding to my internal 192.168.254.200 www machine to succeed. This is my iptables script. Internet is eth0 and my LAN is eth1. Any help would be greatly, greatly appreciated. Thanks, BenG.

# Kernel settings have been set in /etc/sysctl.conf

# Reset

/sbin/iptables -v -F
/sbin/iptables -v -X
/sbin/iptables -v -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z

# Set Policies

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

# Allow self access by loopback interface
/sbin/iptables -A INPUT -i lo -p all -j ACCEPT

# Accept Established Connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept New Internal Connections
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT

# Port Forwarding is enabled, so accept forwarded traffic for my www
/sbin/iptables -A FORWARD -p tcp --dport 80 -d 192.168.254.200 -i eth0 -j ACCEPT

# Set up IP FORWARDing
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Port Forwarding for my www
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to-destination 192.168.254.200

# Set up IP Masquerading
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ac1980 01-13-2004 03:17 PM
Are you sure the DNAT chain falls back into the FORWARD one?
I use shorewall as an encapsulation for iptables, it makes things a lot easier, while still being fully flexible. You may give it a try.

WeNdeL 01-13-2004 03:44 PM
From my iptables script:

$IPTABLES -t nat -A PREROUTING -i $INTERNET -p tcp --sport $SOME_SOURCE_PORT -d $EXT_IPADDR --dport $SOME_DEST_PORT -j DNAT --to-destination $SOME_INTERNAL_IP

$IPTABLES -A FORWARD -i $INTERNET -o $LAN -p tcp --sport $SOME_SOURCE_PORT -d $SOME_INTERNAL_IP --dport $SOME_DEST_PORT -j ACCEPT

this should do the trick...

And note that Masquerading is for something like a dial-up connection. It is not for NAT.


All times are GMT -5. The time now is 10:36 AM.