-   Linux - Networking (
-   -   iptables + NAT + Port forwarding problem (

SirGertrude 05-12-2004 12:30 AM

iptables + NAT + Port forwarding problem
Hi, I am having some trouble forwarding ports one my Gentoo router. Everything is working great except for the port forwarding. I figure it is probably a stupid mistake, but time is a factor here and I have not been able to come up with my own solution thus far. Any help would be greatly appreciated.

The goal: Forward external ports (eth0 to internal IP addresses (eth1 I am mainly concerned with port 80.

My current script:

#----Flush Old Rules----#
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

#----Set Default Policies----#
iptables -P INPUT DROP

#------Turn on NAT------#
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

#----Enable IP forwarding (of incoming packets)----#
echo 1 > /proc/sys/net/ipv4/ip_forward

#----Port Frowarding----#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4 -j DNAT --to

#----NAT Firewall----#
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#----Masq to Gateway----#
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -d -p all -j ACCEPT

#----Net to Local----#
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 3784 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

#----Drop other Junk----#
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p udp --sport 137 --dport 137 -j DROP

Again, any help is greatly appreciated. Thanks.

jslmg 05-12-2004 03:49 AM


Are you using a Gentoo Linux distribution, or another, such as RedHat?

maxut 05-12-2004 06:31 AM

#iptables -t nat -I PREROUTING ...
instead of
#iptables -t nat -A PREROUTING ..

SirGertrude 05-12-2004 12:42 PM

yes, I am using Gentoo.

I tried using "iptables -t nat -I PREROUTING..." instaid of "iptables -t nat -A PREROUTING..." and had no luck. Thanks for the idea.

phatboyz 05-12-2004 10:09 PM

Port 80? Seems like you want to serve HTTP requests? Most ISP block this port from the outside. Most of the time you cant get away with it. If you use a different port it should work.

SirGertrude 05-12-2004 11:03 PM

I wondered that also... I set up a webserver on the router and allowed connections to port 80 and was able to connect. I also use ports 2-4 for other traffic, which I am unable to connect to. I am sure it is a problem with my configuration on the linux box itself, but I cannot figure out where.

Thanks for the input. :)

maxut 05-13-2004 02:38 AM

try to make sure that the trouble is from iptables.

SirGertrude 05-13-2004 09:14 PM


I went to the website you recommended and had a custom script created. It worked great! I moved several lines from my old script to the new one and it is running beautifully. I compared the two and the only difference I noticed was the default policy "iptables -P FORWARD DROP" in the working script and the order of the commands. I assume one of those issues was causing my problem. Thank you for the help.

BTW... I would highly recommend to others who are attempting to set up a NAT router. I wish I had known about it before I wasted all that time troubleshooting my script.

maxut 05-14-2004 02:51 AM

he he maxnut?? who is it? my nick is maxut.
i am glad to hear that u solved your trouble.

yvesg 05-14-2004 05:02 AM

perhaps your ISP is blocking acces to the 80 port, to prevent you from running a webserver ...
I know overhere in Belgium, my ISP blocks all ports below 1024, this is also done for security reasons.

try to run your webserver on a higher port, like 2080.

You can also redirect your traffic, so you won't have to reconfigure your webserver. The requests are coming in at 2080, and are beeing redirected to your internal network to port 80.

All times are GMT -5. The time now is 09:19 AM.