LinuxQuestions.org - [SOLVED] iptables and port forwarding

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - iptables and port forwarding (https://www.linuxquestions.org/questions/linux-networking-3/iptables-and-port-forwarding-792912/)

arashi256

03-03-2010 11:07 AM

iptables and port forwarding

I'm trying to set up IP masquerading under iptables. Essentially, I want to forward any traffic to port 7070 on a static IP address machine to a DHCP assigned address (192.168.1.*) machine behind it to port 80 since we've got no public IP addresses spare. After reading up on iptables, I figured this should work as a config (/etc/sysconfig/iptables) on the static IP machine: -

Code:

-A PREROUTING -p tcp -i eth0 --dport 7070 -j DNAT --to 192.168.1.8:80

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.1.8 --dport 80 -m state --state NEW -j ACCEPT

...but when restarting the iptables service, it complains about the first line (but fails to explain why). What am I doing wrong?

I've enabled ip_forward = 1 module.

I'm also not sure if I should be editing the /etc/sysconfig/iptables file directly....how should this be done usually? I'm using Fedora 12.

smoker

03-03-2010 11:44 AM

So you are using NAT then ?

Read the docs :

http://www.redhat.com/docs/manuals/e...rerouting.html

You can read the previous few pages to read about NAT and masquerading.

nimnull22

03-03-2010 11:45 AM

Quote:

Originally Posted by arashi256 (Post 3884117)

...
I'm trying to set up IP masquerading under iptables. Essentially, I want to forward any traffic to port 7070 on a static IP address machine to a DHCP assigned address (192.168.1.*)
...

1. Masquerading and forwarding - two different tasks.
2. Forward traffic to DHCP assigned IP is difficult, because how knows which IP your host will get next time. I suggest to give it a static IP, like 192.168.1.20.

Can you do it?

spampig

03-03-2010 11:54 AM

This is nothing more than a wild guess, so apologies if it does not help you:

Insert the rule:

Quote:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 7070 -j DNAT --to-destination 192.168.1.8:80

If it does not work remove it like this....

Quote:

iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 7070 -j DNAT --to-destination 192.168.1.8:80

It may stop your error, but I can't say if it will do what you want!

arashi256

03-03-2010 01:08 PM

Thanks spampig for your helpful response - I'll try it. I gather using "iptables" from the command-line is different to inserting this rule directly into the iptables config file? I've inserted rule like this before, but they don't seem to be reflected in the /etc/sysconfig/iptables config file. Where are these rules stored if not there? I'd prefer to add these directives directly to some sort of configuration file, if possible.

arashi256

03-04-2010 09:19 AM

No, didn't work. Ah well.

arashi256

03-10-2010 07:02 AM

Managed it...:D

In case anyone else wants to do something similar...

iptables-config:

Code:

IPTABLES_MODULES="iptable_nat"

iptables:

Code:

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth0 -j MASQUERADE

-A PREROUTING -i eth0 -p tcp --dport 7070 -j DNAT --to-destination 192.168.1.8:80

COMMIT

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 192.168.1.8 --dport 80 -j ACCEPT

COMMIT

All times are GMT -5. The time now is 10:39 AM.