[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Problem with iptables Port Forwarding

Hello all,

I have a Debian Sarge box with 2 ethernet cards. eth0 is the internal card and has the static IP eth1 is the external interface card and does not have an IP, as it is a bridged connection to the ADSL modem (PPPoE). ppp0 has a static IP set by the ISP (which is referred to as xxx.xxx.xxx.xxx). The box runs a web and email server (Apache, Exim and Dovecot).

I have written an iptables script that allows selected ports through on the external interface, and allows users to use the ADSL connection from the local network.

Recently, they asked me to install an APC masterswitch which has a web interface on standard port 80. They wanted to be able to use it from outside of the network, so I decided to redirect port 8080 to the switch at the gateway. The switch has the static IP address of

Unfortunately, the redirection bit is the only thing I can't get working. I've read and re-read Rusty Russell's NAT howto and followed his example. I've switched the order of iptables commands around in the script and have tried turning off DROP and REJECT commands also as a troubleshooting measure (for these reasons, there might be a few superfluous commands).

Any help with this problem would be greatly appreciated. Also, please let me know if I've created any gaping security holes ;)

Here is the script:


# Flush any existing rules and zero the traffic counters
iptables -F
iptables -Z
iptables -t nat -F
iptables -t nat -Z

# Allow forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Disable smurf attack response
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Accept all input on local loopback
iptables -A INPUT -i lo -j ACCEPT

# Filter ADSL traffic - returning traffic is okay, new connections are checked for valid ports, all others are rejected
# If it's an established returning connection, let it through
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to
#iptables -A FORWARD -p tcp -i eth1 -d --dport 80 -j ACCEPT

# Allow ICMP
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
# Allow SSH
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# Allow HTTP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
# Allow HTTPS
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
# Allow SMTP
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
# Allow POP3
iptables -A INPUT -i eth1 -p tcp --dport 110 -j ACCEPT
# Allow POP3-SSL
iptables -A INPUT -i eth1 -p tcp --dport 995 -j ACCEPT
# Allow Alternate HTTP for APC
iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT
# Doesn't match any of the above, reject the packet
iptables -A INPUT -i eth1 -j REJECT

# Allow all staff traffic (defined by all INPUT on ETH0) through if it's a local address
iptables -A INPUT -i eth0 -s -j ACCEPT
# If it doesn't match the above subnet on the internal network, someone may be doing something nasty, so reject the packet
iptables -A INPUT -i eth0 -j REJECT

# This sets up Network Address Translation
# When the packet is ready to be resent, the IP headers are rewritten
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source xxx.xxx.xxx.xxx


Reply to: