[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Opening :80 through a NATing iptables firewall.



* Robb Kidd (rkidd@ncmec.org) [010928 10:18]:
> 	Let me see if I've got this right.
> With:
> LANDEV="eth0"
> INETDEV="eth1"
> iptables -P FORWARD DROP
> (obviously not my whole iptables setup, but what I hope is relevant)
> 
>    If I'm going to open port 80 and direct outside connections to an
> internal box, I'll need:
> 
> iptables -t nat -A PREROUTING -i $INETDEV -p tcp --dport 80 -j DNAT \
> 	--to-destination 192.168.1.10
> 
> 	...but in addition to this, I'll need:
> 
> iptables -A FORWARD -i $INETDEV -d 192.168.1.10 -j ACCEPT
> 
> 	I was logging dropped packets with the 192.168.1.10 destination before I 
> added the above FORWARD entry and now it works.  Is this the "right" way 
> to perform port forwarding?  Is there a more optimal method? (Full 
> iptables script available, but I thought I'd not deluge the list yet.)

Looks good to me, though I'd be surprised if it works without also
adding this rule (which maybe you have but accidentally omitted when
posting):

iptables -A FORWARD -o $INETDEV -i $LANDEV -s 192.168.1.10 -j ACCEPT \
 -m state --state ESTABLISHED,RELATED
 # if you don't have the ipt_state module (or built in to your kernel)
 # omit the second line of that rule

or maybe you already had a more general rule allowing outbound traffic
to be forwarded from your lan to the Internet, in which case you don't
need to add anything and it should already be working.

From my experience, though, you're doing things correctly! If there's a
better way to do it, I've never seen it.

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgpmIA3izVNfh.pgp
Description: PGP signature


Reply to: