LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-13-2004, 02:25 AM   #1
BenGroeneveld
LQ Newbie
 
Registered: Jan 2004
Location: Bend, OR
Posts: 1

Rep: Reputation: 0
port forwarding trials and tribulations


I got my firewall working satisfactory, or so it seems, but I cannot get port forwarding to my internal 192.168.254.200 www machine to succeed. This is my iptables script. Internet is eth0 and my LAN is eth1. Any help would be greatly, greatly appreciated. Thanks, BenG.

# Kernel settings have been set in /etc/sysctl.conf

# Reset

/sbin/iptables -v -F
/sbin/iptables -v -X
/sbin/iptables -v -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z

# Set Policies

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

# Allow self access by loopback interface
/sbin/iptables -A INPUT -i lo -p all -j ACCEPT

# Accept Established Connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept New Internal Connections
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT

# Port Forwarding is enabled, so accept forwarded traffic for my www
/sbin/iptables -A FORWARD -p tcp --dport 80 -d 192.168.254.200 -i eth0 -j ACCEPT

# Set up IP FORWARDing
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Port Forwarding for my www
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to-destination 192.168.254.200

# Set up IP Masquerading
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
Old 01-13-2004, 03:17 PM   #2
ac1980
Member
 
Registered: Aug 2003
Location: Trento, Italy
Distribution: Debian testing
Posts: 394

Rep: Reputation: 30
Are you sure the DNAT chain falls back into the FORWARD one?
I use shorewall as an encapsulation for iptables, it makes things a lot easier, while still being fully flexible. You may give it a try.
 
Old 01-13-2004, 03:44 PM   #3
WeNdeL
Member
 
Registered: Oct 2002
Location: At my desk...
Distribution: RedHat, Fedora, Ubuntu
Posts: 344

Rep: Reputation: 30
From my iptables script:

$IPTABLES -t nat -A PREROUTING -i $INTERNET -p tcp --sport $SOME_SOURCE_PORT -d $EXT_IPADDR --dport $SOME_DEST_PORT -j DNAT --to-destination $SOME_INTERNAL_IP

$IPTABLES -A FORWARD -i $INTERNET -o $LAN -p tcp --sport $SOME_SOURCE_PORT -d $SOME_INTERNAL_IP --dport $SOME_DEST_PORT -j ACCEPT

this should do the trick...

And note that Masquerading is for something like a dial-up connection. It is not for NAT.

Last edited by WeNdeL; 01-13-2004 at 03:45 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 12:08 PM
Bringing up Linux - the trials and tribulations of a Newbie Guvvy Linux - Software 8 01-18-2005 06:46 PM
port forwarding and packet forwarding syrtsardo Linux - Newbie 2 07-03-2003 10:37 AM
MPlayer trials and tribulations (what else is new?) loran Linux - Software 15 03-20-2003 09:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration