IPTABLES #Port Forwarding

goldenmag · 11-18-2003, 03:27 PM

Hi,

I would like to Port Forward one of my linux server that is (in) my lan.
I has wondering if this rule would be ok?

#Port Forwarding
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 1234 -j DNAT --to 192.168.1.2:22
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

The main goal is to be able to use ssh from my home to be able to connect to the office on my linux server with this address 192.168.1.2.

any help please?

best regards,

Ré

Capt_Caveman · 11-20-2003, 10:28 AM

If eth1 is your external interface and eth0 is the internal interface, everything looks OK, except for the --dport 1234 part. Are you planning on using an alternate ssh port or something? Under normal circumstances I would have expected that to be port 22 as well.

chrisfirestar · 11-21-2003, 03:34 AM

IPTABLES=/sbin/iptables
OUTSIDE=eth0

$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 22 -j DNAT --to 192.168.1.2:22

now you must allow the incoming packets...

$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 22 -j ACCEPT

or if you want to specify an IP to access it from try:
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -s 202.172.12.134 -p tcp -m tcp --dport 22 -j ACCEPT

Hope this helps

Capt_Caveman · 11-21-2003, 06:17 AM

Quote:

Originally posted by chrisfirestar
IPTABLES=/sbin/iptables
OUTSIDE=eth0

$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 22 -j DNAT --to 192.168.1.2:22

now you must allow the incoming packets...

$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 22 -j ACCEPT

or if you want to specify an IP to access it from try:
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -s 202.172.12.134 -p tcp -m tcp --dport 22 -j ACCEPT

Hope this helps

That would work, but I think you'd need a default FORWARD policy of ACCEPT. Otherwise the packets won't have any way to get across the box.

MrGreg · 11-21-2003, 07:10 AM

You'll have much better luck using the -I switch in any port forwarding manuever with iptables. The -A (append) always adds the rule to the END of the chain. Packets may be getting dealt with earlier on in the chain and never get a chance.

A good way to see the structure of your current tables is:

iptables -L --line-numbers | less

A great way to test new rules are with small scripts. One script for iptables -I; INSERTing the rules and an exact copy with the exception that all -I's are replaced with -D's for DELETE.