I have the following problem.
I want to forward connections from port 8080 on my external server to port 80 on my internal server.
Two lines below don't work.
iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2 :80
iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT

where eth1 is the external interface of the gateway system (eth0 is internal). xxx.xxx.xxx.xxx is my static external IP address of the gateway and 192.168.1.2 is the ip address of the internal server. Gateway system is Debian 4 and internal server uses windows vista.
I use PPPoEd to provide Internet to internal computer.

I read that on the internal machine the gateway must be set to the internal IP of the external machine but I don't know how to set the gateway because the PPPoEd set it to nothing (in status window of pppoe connection in vista Default Gateway field is blank).

This is script that I use:
EXT=eth1
INT=eth0

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INT -o $EXT -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

iptables -A FORWARD -i $EXT -o $INT -j REJECT

iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1
iptables -t mangle -A POSTROUTING -s 192.168.1.0/24 -o $EXT -j TTL --ttl-set 64

iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 192.168.1.2:80
iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.2 --dport 80 -j ACCEPT


If someone has an idea why this port forwarding isn't working please help!
Thanks in advance!

Unfortunately, iptables does pay attention to the order of the rules that you specify. If you list the rules in your FORWARD chain (iptables -nvL FORWARD), I think you will find that there is a rule that rejects traffic coming into the firewall from the outside that precedes the specialized rule about port 80 traffic (which has very probably been DNATted correctly before the firewall discards it during processing of the FORWARD chain). If you move the rule that accepts port 80 traffic up in your script so that it precedes the blanket rejection rule, things should work better.

When I comment this line:
iptables -A FORWARD -i $EXT -o $INT -j REJECT
there is no effect.

Complete situation

xxx.xxx.xxx.xxx - my external IP
xxx.xxx.xxx.0 - ISP network
xxx.xxx.xxx.1 - ISP gateway
dns.dns.dns.dns - ISP DNS

10.11.12.0 - my local (internal) network
10.11.12.13 - my internal IP (Debian machine, the router)

10.11.12.14 - my other computer (vista machine, to which I want to forward packets)

eth0 - internal interface (local network)
eth1 - external interface

in /proc/sys/net/ipv4/ip_forward

1

in /etc/sysctl.conf

net.ipv4.conf.default.forwarding=1
net.ipv4.ip_forward = 1

ifconfig -a

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:10.11.12.13 Bcast:10.11.12.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3997 errors:0 dropped:0 overruns:69 frame:0
TX packets:4965 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:652783 (637.4 KiB) TX bytes:4246737 (4.0 MiB)
Interrupt:177 Base address:0x4c00

eth1 Link encap:Ethernet HWaddr yy:yy:yy:yy:yy:yy
inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21830 errors:0 dropped:0 overruns:0 frame:0
TX packets:6528 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6875496 (6.5 MiB) TX bytes:1152166 (1.0 MiB)
Interrupt:169 Base address:0xd800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4046 errors:0 dropped:0 overruns:0 frame:0
TX packets:4046 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1270416 (1.2 MiB) TX bytes:1270416 (1.2 MiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth1

I use this script:

EXT=eth1
INT=eth0

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXT -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept outgoing packets from internal network
iptables -A FORWARD -i $INT -o $EXT -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

# TTL settings
iptables -t mangle -A PREROUTING -i $EXT -j TTL --ttl-inc 1
iptables -t mangle -A POSTROUTING -s 10.11.12.0/24 -o $EXT -j TTL --ttl-set 64

# port 8080 to port 80
iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to 10.11.12.14:80
iptables -A FORWARD -p tcp -i eth1 -d 10.11.12.14 --dport 80 -j ACCEPT

end of script



iptables -L -n

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 10.11.12.14 tcp dpt:80

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:8080 to:10.11.12.14:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

iptables -t mangle -L -n

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TTL 0 -- 0.0.0.0/0 0.0.0.0/0 TTL increment by 1

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TTL 0 -- 10.11.12.0/24 0.0.0.0/0 TTL set to 64

the internal machine (which use vista)

ipconfig -all

Ethernet adapter Local Area Connection:


Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 10/100 Ethernet
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.11.12.14(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.11.12.13
DNS Servers . . . . . . . . . . . : dns.dns.dns.dns
NetBIOS over Tcpip. . . . . . . . : Enabled

when I type http://10.11.12.14:80 I see index.html on the internal machine
when I type http://xxx.xxx.xxx.xxx:80 I see index.html on the external machine
when I type http://xxx.xxx.xxx.xxx:8080 I see index.html on the external machine again, but not index.html on the internal machine
(my external machine listen on both 80 and 8080 ports, the internal - only on 80)

I think there is a problem with this line in routing table

10.11.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Your route table looks right to me. Let me inquire about the details of your experiment, though. Did you ask a browser on the Debian machine to look up the pages by address, or did you ask the Vista machine to do it, or did you ask a machine elsewhere on the Internet to do it?

The reason that I ask this is that packets from a browser on your Debian machine will not flow through the external interface, but rather through the loopback interface, which does not have any port-redirection specified for it in your iptables rules.

And it probably does not matter for solving this problem, but if you have a static IP address for your external ethernet port, you should probably be using a SNAT rule in the nat table, rather than a MASQUERADE rule.

You are right when the address is loaded from the Internet the redirecting works. Thank you, and sorry for lamer's question!