DNAT to web server inside LAN?

sarajevo · 06-05-2006, 01:14 AM

Hello all ,

I read Andersson's manual about iptables.
The output of iptables -t nat -L are as follows

debian:/home/# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere debian tcp dpt:www to:10.1.1.2

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

rules in script are as follows

#!/bin/bash

echo " Some comment "

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding... "
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING --dst 150.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.2:80

With this rule I want to forward all packets that coming from internet to my external ip address 150.1.1.1 to my internal ip address 10.1.1.2:80 to my web server. On my firewall I have two NICs, eth0=150.1.1.1 and eth1=10.1.1.1. On eth1 is connected with RJ-45 to web server. Only I want is to filter traffic from one NIC to other in order to make traffic filtering to my web server whitch is located in internal network. So write down your comments

Thanks in advance.
Best wishes.

win32sux · 06-05-2006, 06:57 AM

Quote:

Originally Posted by sarajevo

#!/bin/bash

echo " Some comment "

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding... "
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING --dst 150.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.2:80

With this rule I want to forward all packets that coming from internet to my external ip address 150.1.1.1 to my internal ip address 10.1.1.2:80 to my web server. On my firewall I have two NICs, eth0=150.1.1.1 and eth1=10.1.1.1. On eth1 is connected with RJ-45 to web server. Only I want is to filter traffic from one NIC to other in order to make traffic filtering to my web server whitch is located in internal network. So write down your comments

Thanks in advance.
Best wishes.

hello, try like this instead:

Code:

#!/bin/bash

echo "0" > /proc/sys/net/ipv4/ip_forward

iptables -F FORWARD

iptables -F -t nat
iptables -F -t mangle

iptables -X -t nat
iptables -X -t mangle

iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 80 \
-j DNAT --to-destination 10.1.1.2

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d 10.1.1.2 \
--dport 80 -m state --state NEW -j ACCEPT

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/ip_forward

just my

...