LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-07-2003, 10:48 PM   #1
David_99
LQ Newbie
 
Registered: Jun 2003
Location: Toronto,Canada
Distribution: redhat
Posts: 6

Rep: Reputation: 0
port forwarding with iptables


Greetings,

After following the MASQ howto with the stronger firewall ruleset and successfully connecting my lan to the internet through a RedHat9 box.

I couldn't forward a port 8095. to the same port on one of my lan comps (apache web server runs on 8095)
Here's what I've tried to insert (you can see that it's before the line where everything else is denied)
###enabling port forwarding byDave
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8095 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8095 -j DNAT --to 192.168.0.3:8095
###port forwarding end

#!!! this is the stuff that was there originally just here for reference
# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j drop-and-log-it

so this is where port forwarding doesn't work.
here's the output of the iptables -L command: (in ######## below)
do I have a major security flow here? and why the port forwarding doesn't work.
Thank you very much,
David
#####################################
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
drop-and-log-it all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 38002137.cpe.net.cable.rogers.com state RELATED,ESTABLISHED
drop-and-log-it all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8095
drop-and-log-it all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 38002137.cpe.net.cable.rogers.com 192.168.0.0/24

ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
drop-and-log-it all -- anywhere 192.168.0.0/24
ACCEPT all -- 38002137.cpe.net.cable.rogers.com anywhere

drop-and-log-it all -- anywhere anywhere

Chain drop-and-log-it (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
##################################
 
Old 12-08-2003, 12:50 AM   #2
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
Read this thread and this thread.
 
Old 12-08-2003, 07:06 PM   #3
David_99
LQ Newbie
 
Registered: Jun 2003
Location: Toronto,Canada
Distribution: redhat
Posts: 6

Original Poster
Rep: Reputation: 0
i've checked your other two posts
they are somewhat related to my problem however I still couldn't get NAT to forward the port by adding the two lines described in your first link.

Could you give me more detail in regards what's wrong in my situation.

thanks,

David
 
Old 12-09-2003, 01:37 AM   #4
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
as you may or may not know IPTABLES are specific to the order that they are entered... I generally would put my port forwarding somewhere up the top. If a rule handles that request before your port forward command then it may not work anymore..

try shuffling your orders around...

generally I would have them in this order

# Default rules
# Port Forwarding
# Inputs from internet to firewall
 
Old 12-09-2003, 08:23 PM   #5
David_99
LQ Newbie
 
Registered: Jun 2003
Location: Toronto,Canada
Distribution: redhat
Posts: 6

Original Poster
Rep: Reputation: 0
Ok I figured it out...

Actually everything worked just fine!
the reason I was not able to see the web page is because I was trying to access it from my inside lan and it wouldn't let me see anything.
However when I've asked my friend to load the page from the internet it worked.
 
Old 12-09-2003, 08:37 PM   #6
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
ahh you will have to set rules in your iptables to allow local users to find it...

eg

$IPTABLES -t nat -A PREROUTING -i $INSIDE -s $LAN -d $EXT_IP -p tcp -m tcp --dport 80 -j DNAT --to $WEBSVR:80
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 10:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
IPTables port forwarding.. NeoTech Linux - Networking 2 01-03-2005 11:27 AM
IPTABLES port forwarding sal_paradise42 Linux - Networking 5 10-25-2003 04:11 PM
Iptables - Port Forwarding luivm Linux - Networking 3 05-19-2003 02:30 PM


All times are GMT -5. The time now is 02:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration