[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Port forwarding with ipmasq and iptables

On Wed, Dec 17, 2003 at 12:50:24PM +0100, Peter A. Felvegi wrote:
>  i did a different approach, but it may help you. i wrote a portforwarding
> init.d script, that is started/stopped after ipmasq.
> 
> -BEG-----/etc/init.d/portforwarding---------
> #! /bin/sh
> #
> # portforwading : sets up portforwarding from outer world to the lan machines
> #
> # 2003 Petschy
> 
> # args : srcip dstip dstport todstip todstport
> function portforward
> {
> 	iptables -t nat -A PREROUTING -p tcp --source $1 --destination $2 \
> 		--destination-port $3 -j DNAT --to-destination $4:$5
> 	echo " $1 -> $2:$3 -> $4:$5"
> }
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> NAME=portforwarding
> 
> set -e
> 
> case "$1" in
>   start)
> 	echo "Starting port forwarding"
> 
> 	# two hostware machines to the polus palace db server port 3050
> 	portforward ....
> 	echo "Done."
> 	;;
>   stop)
> 	echo -n "Stopping port forwarding : flushing PREROUTING chain"
> 	iptables -t nat -F PREROUTING
> 	echo "."
> 	;;
>   *)
> 	N=/etc/init.d/$NAME
> 	echo "Usage: $N {start|stop}" >&2
> 	exit 1
> 	;;
> esac
> 
> exit 0
> -END-----/etc/init.d/portforwarding---------
> 
> i update only the PREROUTING chain, while you update the FORWARD chain,
> too. why is that needed? did i miss something?

I have to set FORWARD rules.  I use a script found on linuxgurus.org,
with modifications to portforward some ports.

Forwarding all packets from the world to the internal webserver
and established and related packets coming back must be accepted,
making two rules.  One more rule activates the destination address
modification on packets coming in to the network, pointing them
to the webserver, and using connection tracking (I think) also 
remodifies it on response packets from the internal webserver.

So three rules are needed for any portforward I think, unless
you are already allowing those forwards elsewhere.

I would prefer something like the script above :) but FWIW these
are the lines that I'm using for port 80 for example

Patrick Lesslie


HTTPIP=internal address of webserver.  
The interfaces should be set accordingly, e.g:
INTIF=eth0, EXTIF=ppp0

  
# FORWARD CHAIN

...

## Related to Port-Forwarding from Ports < 1024 [outbound]
#  (--> Also see chain PREROUTING)

  # HTTP-Forwarding
  # http: forward (allow all packets from webserver:80 to world)
   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF \
             -s $HTTPIP -p tcp --sport 80 \
             -m state --state ESTABLISHED,RELATED \
             -j ACCEPT
   

## Related to Port-Forwarding [inbound]
#  (--> Also see chain PREROUTING)

  #HTTP-Forwarding
  # http: forward (allow all NEW, ESTABLISHED and RELATED packets from world to webserver:80)
  $IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP \
    --sport $UNPRIVPORTS --dport 80 \
    -m state --state NEW,ESTABLISHED,RELATED \
    -j ACCEPT

...

### PREROUTING chain

## Port-Forwarding (--> Also see chain FORWARD)

  ##HTTP
  # http: portforward (dest ip nat on packets from world to <public ip>:80)
  $IPTABLES -t nat -A PREROUTING -i $EXTIF \
            -p tcp --sport $UNPRIVPORTS \
	    -d $EXTIP --dport 80 -j DNAT --to $HTTPIP
Reply to: