LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-17-2006, 03:20 PM   #1
solletica
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 1
Posts: 4

Rep: Reputation: 0
port forwarding with iptables


I have a Linux box acting as a NAT firewall for my internal network. On the internal network is a server running on port 4000 on a Windows 2003 box.

I want to forward all connections into the firewall's pubic IP address on port 4000 to port 4000 on the Windows box, using iptables.

The Windows box's internal IP address is 192.168.1.6 and the firewall's external interface's (public IP) address is 67.109.203.170. I'm currently using the following iptables rules to do this. . .

iptables -A FORWARD -p tcp -s 0/0 -i eth0 -d 192.168.1.6 --destination-port 4000
--syn -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -i eth0 -d 67.109.203.170 --destination-port 4000 -j DNAT --to-destination 192.168.1.6

Now these rules ARE WORKING as intended, with one exception: if I try to connect to 67.109.203.170:4000 from a PC on the internal network (i. e. 192.168.1.x), it doesn't work.

In other words, if I do

telnet 67.109.203.170 4000

from the outside of the private network, a connection is made, but not if I do it from within the private network, it doesn't

Can you tell me how I can correct the iptables rules so a connection to <external IP>:4000 can be made internally as well?

Incidentally, I know if replace the Linux box firewall with an off-the-shelf router and config the router for port forwarding on 4000, it WILL do the above (i. e. allow the connection from both inside and outside the network).

Thanks.
 
Old 01-18-2006, 08:51 PM   #2
antken
Member
 
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Rep: Reputation: 30
i think here you would have to run your rules again but amend them so that eth0 is replaced with your internal adapter eth1 ( i presume )

once that has been done i recon it will fix the problem


also once you have put the new rules in you could run iptables -L -v

this will show you how many packets have been touched by that rule.
 
Old 01-23-2006, 02:15 PM   #3
solletica
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 1
Posts: 4

Original Poster
Rep: Reputation: 0
Well, if I replace eth0 with eth1, then packets coming from outside the network won't be routed to the Windows box.

That's not what I want; I want all TCP/IP traffic to 67.109.203.170 on port 4000, whether from the internal LAN or the outside, to be routed to the Widnows box.

BTW, I tried removing the "-i eth0" altogether, from both rules, but that didn't work.

I know this is doable; I just don't know how.
 
Old 01-23-2006, 04:20 PM   #4
Stranex
LQ Newbie
 
Registered: Jul 2003
Posts: 1

Rep: Reputation: 0
isnt this becuase the router/firewall doesnt support loopback?

trying to access your boxes using the WAN IP (from your LAN IPs) wont work because of this.

not sure if there is a way around it, but i think thats why it wont work.
 
Old 01-23-2006, 04:59 PM   #5
solletica
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 1
Posts: 4

Original Poster
Rep: Reputation: 0
It is possible to access the firewall box from a LAN PC using the box's public IP, i. e.

if I do ping 67.109.203.170 from a PC on the inside, I get a reply, and I can also, say, connect to a publicly available server running on the box by telnetting to its public IP address FROM the inside.

So what's the deal?
 
Old 03-12-2006, 05:37 AM   #6
thekillerbean
Member
 
Registered: Jan 2002
Distribution: Ubuntu 12.04.2 (Precise)
Posts: 89

Rep: Reputation: 16
What you need is a PREROUTING rule to check for traffic destined for your public IP at port 4000 coming from your LAN interface and DNAT it back to the internal box servicing that port - simple really!


If that does not work, then you need to provide a diagram of how your network is configured!

Cheers,
kb.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 11:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
iptables don't do port forwarding gomen Linux - Networking 4 12-26-2005 04:05 PM
iptables port forwarding hawk4eye Linux - Security 2 02-07-2003 05:47 AM
Iptables w/port forwarding claytonj25 Linux - Security 8 12-22-2001 09:30 AM


All times are GMT -5. The time now is 03:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration