Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 01-17-2006, 03:20 PM   #1
LQ Newbie
Registered: Nov 2005
Distribution: Fedora Core 1
Posts: 4

Rep: Reputation: 0
port forwarding with iptables

I have a Linux box acting as a NAT firewall for my internal network. On the internal network is a server running on port 4000 on a Windows 2003 box.

I want to forward all connections into the firewall's pubic IP address on port 4000 to port 4000 on the Windows box, using iptables.

The Windows box's internal IP address is and the firewall's external interface's (public IP) address is I'm currently using the following iptables rules to do this. . .

iptables -A FORWARD -p tcp -s 0/0 -i eth0 -d --destination-port 4000
--syn -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -i eth0 -d --destination-port 4000 -j DNAT --to-destination

Now these rules ARE WORKING as intended, with one exception: if I try to connect to from a PC on the internal network (i. e. 192.168.1.x), it doesn't work.

In other words, if I do

telnet 4000

from the outside of the private network, a connection is made, but not if I do it from within the private network, it doesn't

Can you tell me how I can correct the iptables rules so a connection to <external IP>:4000 can be made internally as well?

Incidentally, I know if replace the Linux box firewall with an off-the-shelf router and config the router for port forwarding on 4000, it WILL do the above (i. e. allow the connection from both inside and outside the network).

Old 01-18-2006, 08:51 PM   #2
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Rep: Reputation: 30
i think here you would have to run your rules again but amend them so that eth0 is replaced with your internal adapter eth1 ( i presume )

once that has been done i recon it will fix the problem

also once you have put the new rules in you could run iptables -L -v

this will show you how many packets have been touched by that rule.
Old 01-23-2006, 02:15 PM   #3
LQ Newbie
Registered: Nov 2005
Distribution: Fedora Core 1
Posts: 4

Original Poster
Rep: Reputation: 0
Well, if I replace eth0 with eth1, then packets coming from outside the network won't be routed to the Windows box.

That's not what I want; I want all TCP/IP traffic to on port 4000, whether from the internal LAN or the outside, to be routed to the Widnows box.

BTW, I tried removing the "-i eth0" altogether, from both rules, but that didn't work.

I know this is doable; I just don't know how.
Old 01-23-2006, 04:20 PM   #4
LQ Newbie
Registered: Jul 2003
Posts: 1

Rep: Reputation: 0
isnt this becuase the router/firewall doesnt support loopback?

trying to access your boxes using the WAN IP (from your LAN IPs) wont work because of this.

not sure if there is a way around it, but i think thats why it wont work.
Old 01-23-2006, 04:59 PM   #5
LQ Newbie
Registered: Nov 2005
Distribution: Fedora Core 1
Posts: 4

Original Poster
Rep: Reputation: 0
It is possible to access the firewall box from a LAN PC using the box's public IP, i. e.

if I do ping from a PC on the inside, I get a reply, and I can also, say, connect to a publicly available server running on the box by telnetting to its public IP address FROM the inside.

So what's the deal?
Old 03-12-2006, 05:37 AM   #6
Registered: Jan 2002
Distribution: Ubuntu 12.04.2 (Precise)
Posts: 90

Rep: Reputation: 16
What you need is a PREROUTING rule to check for traffic destined for your public IP at port 4000 coming from your LAN interface and DNAT it back to the internal box servicing that port - simple really!

If that does not work, then you need to provide a diagram of how your network is configured!



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 11:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
iptables don't do port forwarding gomen Linux - Networking 4 12-26-2005 04:05 PM
iptables port forwarding hawk4eye Linux - Security 2 02-07-2003 05:47 AM
Iptables w/port forwarding claytonj25 Linux - Security 8 12-22-2001 09:30 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:21 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration