port forwarding with iptables
Greetings,
After following the MASQ howto with the stronger firewall ruleset and successfully connecting my lan to the internet through a RedHat9 box. I couldn't forward a port 8095. to the same port on one of my lan comps (apache web server runs on 8095) Here's what I've tried to insert (you can see that it's before the line where everything else is denied) ###enabling port forwarding byDave $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8095 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8095 -j DNAT --to 192.168.0.3:8095 ###port forwarding end #!!! this is the stuff that was there originally just here for reference # Catch all rule, all other forwarding is denied and logged. # $IPTABLES -A FORWARD -j drop-and-log-it so this is where port forwarding doesn't work. :( here's the output of the iptables -L command: (in ######## below) do I have a major security flow here? and why the port forwarding doesn't work. Thank you very much, David ##################################### Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.0.0/24 anywhere drop-and-log-it all -- 192.168.0.0/24 anywhere ACCEPT all -- anywhere 38002137.cpe.net.cable.rogers.com state RELATED,ESTABLISHED drop-and-log-it all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:8095 drop-and-log-it all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- 38002137.cpe.net.cable.rogers.com 192.168.0.0/24 ACCEPT all -- 192.168.0.0/24 192.168.0.0/24 drop-and-log-it all -- anywhere 192.168.0.0/24 ACCEPT all -- 38002137.cpe.net.cable.rogers.com anywhere drop-and-log-it all -- anywhere anywhere Chain drop-and-log-it (5 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ################################## |
Read this thread and this thread.
|
i've checked your other two posts
they are somewhat related to my problem however I still couldn't get NAT to forward the port by adding the two lines described in your first link. Could you give me more detail in regards what's wrong in my situation. thanks, David |
as you may or may not know IPTABLES are specific to the order that they are entered... I generally would put my port forwarding somewhere up the top. If a rule handles that request before your port forward command then it may not work anymore..
try shuffling your orders around... generally I would have them in this order # Default rules # Port Forwarding # Inputs from internet to firewall |
Ok I figured it out...
Actually everything worked just fine! the reason I was not able to see the web page is because I was trying to access it from my inside lan and it wouldn't let me see anything. However when I've asked my friend to load the page from the internet it worked. |
ahh you will have to set rules in your iptables to allow local users to find it...
eg $IPTABLES -t nat -A PREROUTING -i $INSIDE -s $LAN -d $EXT_IP -p tcp -m tcp --dport 80 -j DNAT --to $WEBSVR:80 |
All times are GMT -5. The time now is 09:00 AM. |