[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPTables Port Forwarding

On 3/3/07, John L Fjellstad <john-debian@fjellstad.org> wrote:
Johnno <valentine@xtra.co.nz> writes:

> Hello
> Need a little bit of help here...  eth1 = Internet, eth0 = LAN, will
> this work?
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to
> iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
> Anything on port 80 to goto a internal server on ip

Been awhile since I played with forwarding.  One thing to remember
is to turn on forwarding in the kernel (/proc/sys/net/ipv4/ip_forward,
if you have ipv6, you need to do something similar).

Also, I'm not sure you need the second rule. I think it gets rerouted
before it gets to the INPUT chain if you route it in the PREROUTING
chain.  But if you do need the INPUT chain, then the rule should
probably not have the state directive (otherwise, all packages not set
to NEW, which is basically all packages after the first one, will be
dropped or whatever the policy is)

if you have a policy which discards incoming packets from eth1, then you
have to use the INPUT rule, but basically you need to allow also
ESTABLISHED and RELATED connections:

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED
--dport 80 -i eth1 -j ACCEPT

should work.

But I'm not sure this is enough: when you do DNAT towards your http
server, it will then send answers directly to the client (I assume
packets will go back through your firewall).
Then the client gets an answer from "", which is not the public
IP the client was connecting to, so I expect it to discard the packet.
You should also do SNAT on returning packets:

iptables -A POSTROUTING -t nat -i eth0 -s -p tcp --sport
80 -j SNAT --to-source <your-public-ip-here>

so the client get the answer from your-public-ip

Please let me know if this helps, it's been a while for me too, since my last
handmade firewall.



Reply to: