I've only been using RedHat for about 6 months. I have read a lot about IP tables but I'm not confident that I can say "I know iptables". I've tried gShield, Firestarter, Guarddog... Other independantly made scripts... And I cant get this to work. Stop traffic, yes! But what I want is to forward my incoming port 80 requests to another machine. I have a dual-homed system with static IPs running Redhat 9 or Fedora Core 1... Take your pic! I really need to get this up and I really appreciate any definite help. Again, I have no problem blocking services or allowing telnet to that machine or using it as a gateway. The only problem is using it to forward port requests. Thanks again for your help!

MadTurki

I think the command you want is:

iptables -A PREROUTING -p tcp --dport 80 -j DNAT --to <insert webserver ip here>

Hopefully that helps.

-Dewar

I tried that but had no luck... I'll post the iptables file I was using ->

Okay so, that line you suggested wasn't in that one... But I swear it was there! I'll try it again.. Please keep suggestions coming though!

Do you have ip_forward enabled?
If that is set to 0, then it is disabled and needs to be enabled.

I thought I'd done the echo 1 /proc/.../ip_forward thing but I discovered that when I do a "service network restart" it resets that to a 0. And it didn't work without restarting it either. I replaced the 7th line with the one you suggested Dewar but still no luck. Could this be a network settings problem? Do I need to add a route somewhere maybe?

Hmmm, it can't be your default gateway on the firewall, because you still have traffic going through, right....?

Oh, I know! I forgot to put something in the command I wrote. Try....

iptables -A PREROUTING -i <put external interface here> -p tcp --dport 80 -j DNAT --to <insert webserver ip here>
(example: iptables -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.12)

And if that doesn't work, try changing the -A to a -I to add the rule at the start of the chain.

-Dewar

Edit: Another silly question.... Is apache turned on?
Second Edit: Also, maybe the default gateway on the webserver is wrong?

Still no... Not with -A or -I. I'm not running Apache on the firewall. It is running on 1.12 though and I can access it with lynx to the local IP of the web server. My dg on the ext. nic is correct. On the internal nic I dont have one specified but I have a route for 192.168.1.0 to the other (windows) gateway.

Did you ever get it working? Could you post how?

Check this out if it helps....

##################################################
iptables -F -t nat

Then fire this rule --

iptables -I PREROUTING -p tcp -d {IP-on-external-interface} --dport 80 -j DNAT --to {local-ip} -t nat

iptables -I FORWARD -j ACCEPT -t filter

i don't know if he got it working, but this is done like this (main commands are in bold, while the rest is provided for completeness):

take a look at the script... it should serve u... change as your need..

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson &lt;blueflux@koffein.net&gt;
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########################################################################
#
# 1. Configuration options.
#

###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

###########################################################################
#
# Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

###########################################################################
#
# IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

I build a file to port my machines. (ie prtfwd) thin chmod 775, install it in my rc.local
(ie /usr/sbin/prtfwd) this way you can tinker with it and make changes without having to disturb the main rule and restart it all the time. It looks like this.

Of course the 0.0.0.0 is your out side ip, notice the ports that look like 27650:27970, a range of ports or single. Works good for me. Great if you have a lan party and want to host several games on different ports or machiens. Hope this helps

I also did the same thing... i modified the script and now i only execute the file. no restart. it depends on your need and practice... do some editing in the script. use a service iptables save and then service iptables restart at the bottom of the script... that i used to do...

Yea thats why I 775 it. So now I just /usr/sbin/prtfwd when I make a change. But its a good idea to put it in the rc.local that way if ya reboot it's there