Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-17-2004, 08:19 AM   #1
Registered: Mar 2004
Location: Wisconsin
Distribution: Kali Linux
Posts: 122

Rep: Reputation: 15
How to port forward with IPTABLES...


How would I setup port forwarding on my firewall below? For example, if I wanted to forward port 8080 to Below is my firewall script. I have eth0 as my outside internet connection, and eth1 as the LAN. Any suggestions on how to improve this script in general would also be appreciated!!

Im also using redhat 9.0 if this helps.



# set a few variables
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
# adjust /proc
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# setup nat
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocked hosts
#$iptables -I INPUT -s -j DROP
#$iptables -I FORWARD -s -j DROP
# icmp
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
# apply icmp type match blocking
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# open ports to the firewall
$iptables -A INPUT -p udp --dport 27960 -j ACCEPT #Q3 Games / Wolf
$iptables -A INPUT -p udp --dport 14567 -j ACCEPT #BF1942
$iptables -A INPUT -p udp --dport 20100 -j ACCEPT #SOF2
$iptables -A INPUT -p udp --dport 12300 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 27900 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 28900 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 23000:23009 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT    #SSH
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT    #HTTP
$iptables -A INPUT -p tcp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p tcp --dport 27650 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27650 -j ACCEPT #DOOM3 
$iptables -A INPUT -p udp --dport 8767 -j ACCEPT  #TEAMSPEAK
$iptables -A INPUT -p tcp --dport 14534 -j ACCEPT #TS WEB ADMIN

# drop all other packets
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
Old 11-17-2004, 09:51 AM   #2
Registered: Jul 2004
Location: New York
Distribution: SuSE
Posts: 38

Rep: Reputation: 15
you'll want to add at least the following lines. I'm assuming you want to forward external port 8080 to internal on port 80. I'm also assuming your eth1 is your external interface

$iptables -A FORWARD -i eth1 -d --protocol tcp --dport 80 -j ACCEPT
$iptables -A PREROUTING -i eth1 -t nat -p tcp --dport 8080 -j DNAT --to

You really should set up that first line as the following, where $ext_ip is your external IP address assigned to eth1.

$iptables -A PREROUTING -i eth1 -t nat -p tcp -d $ext_ip --dport 8080 -j DNAT --to
Old 11-17-2004, 10:04 AM   #3
LQ Newbie
Registered: Jul 2004
Posts: 23

Rep: Reputation: 15
Thumbs up

[edit]it seems someone writes faster than me [/edit]

These are the Iptable rules (EXAMPLE) required for port forwarding
to .

iptables -t nat -A PREROUTING -p tcp -i eth0 -d --dport 8888 -j DNAT --to
iptables -A FORWARD -p tcp -i eth0 -d --dport 80 -j ACCEPT

Last edited by RomKnight; 11-17-2004 at 10:07 AM.
Old 11-17-2004, 10:10 AM   #4
Registered: Mar 2004
Location: Wisconsin
Distribution: Kali Linux
Posts: 122

Original Poster
Rep: Reputation: 15
T H A N K S !!!
Old 12-11-2004, 11:14 PM   #5
LQ Newbie
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
You'll have to forgive me, I'm a bit of a noob when it comes to IPTABLES. That script of yours is pretty shmick looking scrag. If I wanted to use a script based off of yours on my own system, where would I put it?? Thanks heaps in advance!
Old 12-12-2004, 03:14 AM   #6
Registered: Mar 2004
Location: Wisconsin
Distribution: Kali Linux
Posts: 122

Original Poster
Rep: Reputation: 15
I have this script saved as file under /etc/rc.firewall. To load this automatically on boot up you need to add the line "cd /etc[ENTER] ./rc.firewall" in your startup file "/etc//rc.d//rc.local". rc.local is your "load this on boot" file. Hope this helps as I am typing as I am drunk If not, let me know ill get back to you tommorrow when I am sober
Old 12-13-2004, 05:57 AM   #7
LQ Newbie
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
Can I place the Port Forwarding Section any where in the script?
I have created the following rules to foward Bit Torrent, are they correct? Thanks heaps in advance!

#Open Ports
$iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT #BT

#Port Forward
$iptables -A FORWARD -i eth1 -d --protocol tcp --dport 6881:6889 -j ACCEPT
$iptables -A PREROUTING -i eth1 -t nat -p tcp --dport 6881:6889 -j DNAT --to

My eth0 and eth1 are the same as your own scenario.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES port Forward abhijeetudas Linux - Networking 1 12-02-2005 05:00 AM
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 09:47 AM
IPtables Forward 1 Port to another on the same IP KevinB Linux - Networking 2 01-13-2005 11:56 PM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 08:07 PM
Port Forward with iptables nymig94 Linux - Networking 5 12-02-2001 10:22 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:05 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration