bogdan_bartos

Hi everybody! I am trying to forward port 2080 from the public machine to an internal machine to port 80.

--->|PUBLIC_IP:2080|--->LAN--->|10.0.0.101:80|

So, to be more explicit, when I type in http :// public_ip:2080 it should give me the private machine in the lan that has a web server on it. My iptables is as follows:

==================IPTABLES - SOME PARTS MISSING=======================

#!/bin/sh

. /etc/rc.d/init.d/functions
. /etc/sysconfig/network

if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
case "$1" in
start)
echo -n "Starting Firewalling: "

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1"
INTRANET="10.0.0.0/16"

/sbin/modprobe ip_tables
/sbin/modprobe ipt_state
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_state
/sbin/modprobe ipt_tos

iptables -F
iptables -F -t nat

iptables -X

#drop all incoming packets by default
iptables -P INPUT DROP
#let everything out from the inside
iptables -P OUTPUT ACCEPT
#forward all packets by default
iptables -P FORWARD ACCEPT

iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

#nat for the lan
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#I am redirecting 80 to 8080 to squid for transparent browsing proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

#here I'm opening port 2080 for access
iptables -A INPUT -p tcp -m tcp --dport 2080 -j ACCEPT
#forwarding port 2080 to 80
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 2080 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.0.101:80
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.101 -j ACCEPT
#performing SNAT to the webserver
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.101


================================================== ====================


The last lines are the most important in this case as well as the default INPUT, OUTPUT and FORWARD policies. For some reason if I do iptables -L -n, I don't see the specific port 2080 opened. The only thing I see that refers to 10.0.0.101 is here:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.0.0.0/16 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2080

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.0.101

No 10.0.0.101 on the OUTPUT chain or 2080...since OUTPUT is ACCEPT by default...

If I do an nmap on the public IP, I don't see 2080 open and of course if I try to access the http :// public_ip:2080 gives me nothing... So that means that the port doesn't get forwarded or the packets get inside the LAN, but don't get out...!?

What am I doing wrong? Thank you!

Lazydog

This will not work!

Try using ' -j DNAT --to-destination ' in the above.

__________________

Regards
Robert

Linux
The adventure of a life time.

Linux User #296285
Get Counted

bogdan_bartos

Hi there,

Thank you for helping me. My mistake was that I thought port forwarding doesn't work since I could not see the http :// public_ip:2080, but it makes sense. I am able to see the page from the outside network, so all this time, it worked just fine. From the inside network, I can see the page with the private IP... I am such a fool!

Cheers!