LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Forward OR PreRouting
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-24-2007, 10:04 AM   #1
davidz
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 0
Forward OR PreRouting

I have an iptables firewall that is working great. My question is, is it better to use the PREROUTING or FORWARD to do "port forwarding". Like for bittorrent for example. I've seen it both ways, and I am already using PREROUTING DNAT/SNAT for my web server and email server. I just need to open up some ports for stuff like bittorrent and such. Should I just add more PREROUTING rules or should I be using FORWARD? Or does it even matter?

Thanks,
David
 
Old 09-24-2007, 10:32 AM   #2
almatic
Member
 
Registered: Mar 2007
Distribution: Debian
Posts: 547

Rep: Reputation: 67
you will need rules in prerouting as well as in forward. The prerouting rule is for the nat (swapping ip addresses) and the forward rule sends the packet to its destination.
 
Old 09-24-2007, 07:11 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Adding to what almatic said, when setting the DNAT in PREROUTING, the only reason why you would NOT need to make a respective FORWARD rule would be if your FORWARD chain is already set to forward these packets. So ideally, you want to have things set so that you definitely *need* to make a respective FORWARD rule(s) for your DNAT(s). Using BitTorrent as an example, we could say that this:
Code:
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 6881:6999 -j DNAT \
--to-destination 192.168.1.112
Should *hopefully* require a rule like this in order to work:
Code:
iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.1.112 \
--dport 6881:6999 -m state --state NEW -j ACCEPT
If not, then it's likely your FORWARD chain wasn't reasonably tight.
 
Old 09-25-2007, 07:13 AM   #4
davidz
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks for the info!! I need to look where I went wrong with not having to have a forward rule at this point.

--David
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PREROUTING because it does not function? stomach Linux - Networking 1 03-20-2006 03:18 PM
POSTROUTING or PREROUTING czezz Linux - Networking 2 01-23-2006 12:42 PM
prerouting not function stomach Linux - Software 1 12-19-2005 07:16 PM
cant see .forward file in home directory >> mail forward/copy steve_babbage Linux - Newbie 0 03-02-2004 06:25 AM
PREROUTING stuff zalmox Linux - Security 1 11-23-2003 06:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:25 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration