LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   port forwarding with iptables (https://www.linuxquestions.org/questions/linux-security-4/port-forwarding-with-iptables-123749/)

David_99 12-07-2003 10:48 PM
port forwarding with iptables
 
Greetings,

After following the MASQ howto with the stronger firewall ruleset and successfully connecting my lan to the internet through a RedHat9 box.

I couldn't forward a port 8095. to the same port on one of my lan comps (apache web server runs on 8095)
Here's what I've tried to insert (you can see that it's before the line where everything else is denied)
###enabling port forwarding byDave
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8095 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8095 -j DNAT --to 192.168.0.3:8095
###port forwarding end

#!!! this is the stuff that was there originally just here for reference
# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j drop-and-log-it

so this is where port forwarding doesn't work. :(
here's the output of the iptables -L command: (in ######## below)
do I have a major security flow here? and why the port forwarding doesn't work.
Thank you very much,
David
#####################################
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
drop-and-log-it all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 38002137.cpe.net.cable.rogers.com state RELATED,ESTABLISHED
drop-and-log-it all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8095
drop-and-log-it all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 38002137.cpe.net.cable.rogers.com 192.168.0.0/24

ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
drop-and-log-it all -- anywhere 192.168.0.0/24
ACCEPT all -- 38002137.cpe.net.cable.rogers.com anywhere

drop-and-log-it all -- anywhere anywhere

Chain drop-and-log-it (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
##################################

zaphodiv 12-08-2003 12:50 AM
Read this thread and this thread.

David_99 12-08-2003 07:06 PM
i've checked your other two posts
they are somewhat related to my problem however I still couldn't get NAT to forward the port by adding the two lines described in your first link.

Could you give me more detail in regards what's wrong in my situation.

thanks,

David

chrisfirestar 12-09-2003 01:37 AM
as you may or may not know IPTABLES are specific to the order that they are entered... I generally would put my port forwarding somewhere up the top. If a rule handles that request before your port forward command then it may not work anymore..

try shuffling your orders around...

generally I would have them in this order

# Default rules
# Port Forwarding
# Inputs from internet to firewall

David_99 12-09-2003 08:23 PM
Ok I figured it out...

Actually everything worked just fine!
the reason I was not able to see the web page is because I was trying to access it from my inside lan and it wouldn't let me see anything.
However when I've asked my friend to load the page from the internet it worked.

chrisfirestar 12-09-2003 08:37 PM
ahh you will have to set rules in your iptables to allow local users to find it...

eg

$IPTABLES -t nat -A PREROUTING -i $INSIDE -s $LAN -d $EXT_IP -p tcp -m tcp --dport 80 -j DNAT --to $WEBSVR:80


All times are GMT -5. The time now is 09:00 AM.