LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-02-2001, 05:13 PM   #1
GnomeKing
LQ Newbie
 
Registered: Sep 2001
Posts: 12

Rep: Reputation: 0
port forwarding


I want to forward everything that connects to my firewall on port 21 to an internal machine - I tried doing this, but it doesnt work....

$IPTABLES -t nat -A PREROUTING --dport 21 -j DNAT --to 192.168.1.37


FYI, here is the packet that I'm trying to allow through to my internal ftp server....
IN=eth1 OUT= MAC=00:20:af:cd:43:21:00:05:9a:d7:c8:8c:08:00 SRC=229.216.54.22 DST=62.253.134.15 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=27377 DF PROTO=TCP SPT=4469 DPT=21 WINDOW=32120 RES=0x00 SYN URGP=0

any ideas?

ta :P


 
Old 11-05-2001, 02:41 PM   #2
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
Well i'll list here what your specifically supposed to do, but i suggest you read a post a did the other day on this if you don't know what any of these options are...
http://www.linuxquestions.org/questi...&threadid=8108

I'm assuming your eth1 is connected to the inet or WAN and eth0 is to your LAN

$IPTABLES -t nat -A PREROUTING -p TCP -i eth1 -o eth0 -d $INET_ADDRESS --dport 21 -j DNAT --to 192.168.1.37:21

$IPTABLES -A FORWARD -p TCP -o eth0 -d 192.168.1.37 --dport 21 -j ACCEPT
 
Old 11-05-2001, 03:44 PM   #3
GnomeKing
LQ Newbie
 
Registered: Sep 2001
Posts: 12

Original Poster
Rep: Reputation: 0
Thanks a lot

that works

I did scroll through the subjects, but couldnt see anything about port forwarding with iptables, so gave up and posted :P

ta
 
Old 11-08-2001, 03:07 AM   #4
steppin_razor
LQ Newbie
 
Registered: Nov 2001
Posts: 29

Rep: Reputation: 15
I've tried "everything" and can't just get port forwarding working..

I've boiled down my IPtables config to something pretty simple. It still doesn't work. Any help would be appreciated..

eth1 = 209.55.100.126 (external)
eth0 = 10.0.0.x (internal LAN)


iptables -P INPUT DROP
iptables -A INPUT -i ! eth1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 209.55.100.126

iptables -t nat -A PREROUTING -i eth1 -p TCP -d 209.55.100.126 --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 10.0.0.2 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/8 -j SNAT --to-source 209.55.100.126

iptables -t nat -A PREROUTING -i eth1 -p TCP -d 209.55.100.126 --dport 25 -j DNAT --to 10.0.0.2:25
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 10.0.0.2 --dport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/8 -j SNAT --to-source 209.55.100.126


echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 11-08-2001, 01:22 PM   #5
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
first, i'll go through and show you whats wrong with your old script, then i'll post a new one for you.

---------------------------------------------------------------------------
iptables -P INPUT DROP
iptables -A INPUT -i ! eth1 -j ACCEPT
#im not too great with the !'s but -i eth0 works the same as long as you only have 1 LAN
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#it would be a good idea to use all protocols and put a destination address of you INET IP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 209.55.100.126

iptables -t nat -A PREROUTING -i eth1 -p TCP -d 209.55.100.126 --dport 80 -j DNAT --to 10.0.0.2:80
#protocol should always go before device otherwise you can get errors
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 10.0.0.2 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/8 -j SNAT --to-source 209.55.100.126
#dont need this line because if you want to connect 2 computers already on your LAN, you don't need a router,
#otherwise it could cause problems

iptables -t nat -A PREROUTING -i eth1 -p TCP -d 209.55.100.126 --dport 25 -j DNAT --to 10.0.0.2:25
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 10.0.0.2 --dport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/8 -j SNAT --to-source 209.55.100.126
#again you dont need this line


echo 1 > /proc/sys/net/ipv4/ip_forward
---------------------------------------------------------------------------

I didn't include it here, but make sure you flush and it would be a good idea to declare the default FORWARD and OUTPUT policies to DROP
---------------------------------------------------------------------------

iptables -P INPUT DROP
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p ALL -d 209.55.100.126 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 209.55.100.126

iptables -t nat -A PREROUTING -p TCP -i eth1 -d 209.55.100.126 --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -p TCP -i eth1 -o eth0 -d 10.0.0.2 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i eth1 -d 209.55.100.126 --dport 25 -j DNAT --to 10.0.0.2:25
iptables -A FORWARD -p TCP -i eth1 -o eth0 -d 10.0.0.2 --dport 25 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward
---------------------------------------------------------------------------

let me know if this works, if not let me know specifically what does and doesn't work (i.e. can connect to the internet but cant port forward)
 
Old 11-08-2001, 02:30 PM   #6
steppin_razor
LQ Newbie
 
Registered: Nov 2001
Posts: 29

Rep: Reputation: 15
Eureka!

I figured out what my problem was. Apparently it wasn't my configuration (although I appreciate the feedback that I received)..

The problem was that I was running two NAT "firewalls" on my network and that the machine that had the services I wanted to port forward was not using the my linux firewall as it's gateway

My Network:

Win2K – 209.55.100.125/10.0.0.1 (default gateway for most machines on network – using RRAS to do NAT and port forwarding)

Services – 10.0.0.2 (i.e. email, dns, etc) – points to 10.0.0.1 as its default gateway

Linux – 209.55.100.126/10.0.0.3 (the dev firewall - hopefully soon to become my primary)

When a packet came in to 209.55.100.126, it was sent to Services – but the return path would take it to Win2K which would presumably eat the packet since it wouldn’t know what else to do..

This is a bummer because I was hoping to be able to have both firewalls running for a while..

Any way to work around this?
 
Old 11-08-2001, 02:40 PM   #7
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
if you happen to have 2 ip address's that you can use, thats the only way to really be able to test it while the other one is still up, otherwise the closest i think youll be able to get to is this:

Machine A = Win2k = current gateway
Machine B = Linux router
Machine C = services

10.x.x.x = services network
192.168.x.x = network between the 2 routers
INET IP = internet IP

basically just set up you win2k box so that all incoming packets get forwarded to the 192.168 address on the Linux box, then have the linux box forward from win2k to services. In theory, the only change you would need to make when making the change to linux box being your main router, is change the 192.168 ip address to your INET IP address
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 01:08 PM
Port 80 forwarding to port 22 with iptables zahoo Linux - Networking 3 02-22-2005 08:22 AM
port forwarding and packet forwarding syrtsardo Linux - Newbie 2 07-03-2003 11:37 AM
How to do ip port forwarding cmardhekar Linux - General 0 08-28-2001 01:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration