Re: IPTables Port Forwarding

[Joe Hart <j.hart@orange.nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Giacomo Montagner wrote:
> On 3/3/07, John L Fjellstad <john-debian@fjellstad.org> wrote:
>> Johnno <valentine@xtra.co.nz> writes:
>>
>> > Hello
>> >
>> > Need a little bit of help here...  eth1 = Internet, eth0 = LAN, will
>> > this work?
>> >
>> > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to
>> > 192.168.1.50:80
>> > iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j
>> ACCEPT
>> >
>> > Anything on port 80 to goto a internal server on ip 192.168.1.50
>>
>> Been awhile since I played with forwarding.  One thing to remember
>> is to turn on forwarding in the kernel (/proc/sys/net/ipv4/ip_forward,
>> if you have ipv6, you need to do something similar).
>>
>> Also, I'm not sure you need the second rule. I think it gets rerouted
>> before it gets to the INPUT chain if you route it in the PREROUTING
>> chain.  But if you do need the INPUT chain, then the rule should
>> probably not have the state directive (otherwise, all packages not set
>> to NEW, which is basically all packages after the first one, will be
>> dropped or whatever the policy is)
> 
> Hi,
> if you have a policy which discards incoming packets from eth1, then you
> have to use the INPUT rule, but basically you need to allow also
> ESTABLISHED and RELATED connections:
> 
> iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED
> --dport 80 -i eth1 -j ACCEPT
> 
> should work.
> 
> But I'm not sure this is enough: when you do DNAT towards your http
> server, it will then send answers directly to the client (I assume
> packets will go back through your firewall).
> Then the client gets an answer from "192.168.1.50", which is not the public
> IP the client was connecting to, so I expect it to discard the packet.
> You should also do SNAT on returning packets:
> 
> iptables -A POSTROUTING -t nat -i eth0 -s 192.168.1.50 -p tcp --sport
> 80 -j SNAT --to-source <your-public-ip-here>
> 
> so the client get the answer from your-public-ip
> 
> Please let me know if this helps, it's been a while for me too, since my
> last
> handmade firewall.
> 
> Cheers!
> 
> Giacomo
> 
> 
Here's my port forwarding firewall...eth0 is wan, eth1 lan.  I'm not
positive that it's real secure, but it works, and it's behind yet
another firewall built into my router.  It runs when the network comes up.

- --
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
- -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7tlLiXBCVWpc5J4RAvxlAJ0QH6TqyBLIDFxKExgOITmZhooVCwCgyQli
bbuZ7hw89tuGybqc4i2Refg=
=rYI/
-----END PGP SIGNATURE-----