LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-17-2004, 07:19 AM   #1
Scrag
Member
 
Registered: Mar 2004
Location: Wisconsin
Distribution: Kali Linux
Posts: 122

Rep: Reputation: 15
How to port forward with IPTABLES...


Hi,

How would I setup port forwarding on my firewall below? For example, if I wanted to forward port 8080 to 192.168.0.5. Below is my firewall script. I have eth0 as my outside internet connection, and eth1 as the LAN. Any suggestions on how to improve this script in general would also be appreciated!!

Im also using redhat 9.0 if this helps.

Thanks!

Code:
#!/bin/sh

# set a few variables
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
 
# adjust /proc
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
 
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
 
# setup nat
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
 
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
 
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# blocked hosts
#$iptables -I INPUT -s 212.5.86.163 -j DROP
#$iptables -I FORWARD -s 212.5.86.163 -j DROP
 
# icmp
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
 
# apply icmp type match blocking
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
 
# open ports to the firewall
$iptables -A INPUT -p udp --dport 27960 -j ACCEPT #Q3 Games / Wolf
$iptables -A INPUT -p udp --dport 14567 -j ACCEPT #BF1942
$iptables -A INPUT -p udp --dport 20100 -j ACCEPT #SOF2
$iptables -A INPUT -p udp --dport 12300 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 27900 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 28900 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 23000:23009 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT    #SSH
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT    #HTTP
$iptables -A INPUT -p tcp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p tcp --dport 27650 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27650 -j ACCEPT #DOOM3 
$iptables -A INPUT -p udp --dport 8767 -j ACCEPT  #TEAMSPEAK
$iptables -A INPUT -p tcp --dport 14534 -j ACCEPT #TS WEB ADMIN

# drop all other packets
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
 
Old 11-17-2004, 08:51 AM   #2
PiLgRiM
Member
 
Registered: Jul 2004
Location: New York
Distribution: SuSE
Posts: 38

Rep: Reputation: 15
you'll want to add at least the following lines. I'm assuming you want to forward external port 8080 to internal 192.168.0.5 on port 80. I'm also assuming your eth1 is your external interface

$iptables -A FORWARD -i eth1 -d 192.168.0.5 --protocol tcp --dport 80 -j ACCEPT
$iptables -A PREROUTING -i eth1 -t nat -p tcp --dport 8080 -j DNAT --to 192.168.0.5:80

You really should set up that first line as the following, where $ext_ip is your external IP address assigned to eth1.

$iptables -A PREROUTING -i eth1 -t nat -p tcp -d $ext_ip --dport 8080 -j DNAT --to 192.168.0.5:80
 
Old 11-17-2004, 09:04 AM   #3
RomKnight
LQ Newbie
 
Registered: Jul 2004
Posts: 23

Rep: Reputation: 15
Thumbs up

[edit]it seems someone writes faster than me [/edit]

These are the Iptable rules (EXAMPLE) required for port forwarding xxx.xxx.xxx.xxx:8888
to 192.168.0.2:80 .

iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8888 -j DNAT --to 192.168.0.2:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

Last edited by RomKnight; 11-17-2004 at 09:07 AM.
 
Old 11-17-2004, 09:10 AM   #4
Scrag
Member
 
Registered: Mar 2004
Location: Wisconsin
Distribution: Kali Linux
Posts: 122

Original Poster
Rep: Reputation: 15
T H A N K S !!!
 
Old 12-11-2004, 10:14 PM   #5
EastonRoyce
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
You'll have to forgive me, I'm a bit of a noob when it comes to IPTABLES. That script of yours is pretty shmick looking scrag. If I wanted to use a script based off of yours on my own system, where would I put it?? Thanks heaps in advance!
 
Old 12-12-2004, 02:14 AM   #6
Scrag
Member
 
Registered: Mar 2004
Location: Wisconsin
Distribution: Kali Linux
Posts: 122

Original Poster
Rep: Reputation: 15
I have this script saved as file under /etc/rc.firewall. To load this automatically on boot up you need to add the line "cd /etc[ENTER] ./rc.firewall" in your startup file "/etc//rc.d//rc.local". rc.local is your "load this on boot" file. Hope this helps as I am typing as I am drunk If not, let me know ill get back to you tommorrow when I am sober
 
Old 12-13-2004, 04:57 AM   #7
EastonRoyce
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
Can I place the Port Forwarding Section any where in the script?
I have created the following rules to foward Bit Torrent, are they correct? Thanks heaps in advance!

#Open Ports
$iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT #BT


#Port Forward
$iptables -A FORWARD -i eth1 -d 192.168.0.203 --protocol tcp --dport 6881:6889 -j ACCEPT
$iptables -A PREROUTING -i eth1 -t nat -p tcp --dport 6881:6889 -j DNAT --to 192.168.0.203:6881:6889

My eth0 and eth1 are the same as your own scenario.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES port Forward abhijeetudas Linux - Networking 1 12-02-2005 04:00 AM
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 08:47 AM
IPtables Forward 1 Port to another on the same IP KevinB Linux - Networking 2 01-13-2005 10:56 PM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 07:07 PM
Port Forward with iptables nymig94 Linux - Networking 5 12-02-2001 09:22 PM


All times are GMT -5. The time now is 04:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration