Find the answer to your Linux question:
Results 1 to 5 of 5
I'm using an iptables based script to firewall my gateway and I want to make one of the boxes on my inner network to be available to the outside. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2009
    Posts
    4

    iptables - port forward


    I'm using an iptables based script to firewall my gateway and I want to make one of the boxes on my inner network to be available to the outside.

    I figured I needed portforwarding so I added the following rules:


    iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.97:80

    iptables -A INPUT -p tcp --dport 2223 -j ACCEPT

    When I try to connect from 192.168.0.97 to 192.168.0.1:223 (my gateway) I get a time-out however, what am I doing wrong?

    The full script:
    Code:
    # activate forwarding in the kernel
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # remove all current settings
    iptables -F
    iptables -X
    #iptables -t nat -F
    #iptables --delete-chain
    #iptables --table nat --delete-chain
    
    # ACCEPT output and forwarding by default, DROP INPUT by default
    iptables -P INPUT  DROP
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    
    # Allow loopback traffic
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # ALLOW outbound traffic
    iptables -A OUTPUT -o ra0 -j ACCEPT
    
    # Use IP masquerading
    iptables -t nat -A POSTROUTING -o ra0 -j MASQUERADE
    
    # ALLOW established connections
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    ########################
    # ALLOW extra services
    #######################
    
    ##### From both inside & outside:
    
    #- ssh on 2222
            iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
    
    #- http on 8080
            iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
    
    #- https on 8008
            iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
            iptables -A INPUT -p udp --dport 8008 -j ACCEPT
    
    #- mysql on 3306
            iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
    
    #- trackmania on 2350
            iptables -A INPUT -p tcp --dport 2350 -j ACCEPT
            iptables -A INPUT -p udp --dport 2350 -j ACCEPT
    
    #- Torrents
            iptables -A INPUT -p tcp --dport 49160:49300 -j ACCEPT
            iptables -A INPUT -p udp --dport 49160:49300 -j ACCEPT
    
    ##### From inside only
    
    #- samba on 139 & 445
            iptables -A INPUT -p tcp --syn -s 192.168.0.0/24 -i eth1 --dport 139 -j ACCEPT
            iptables -A INPUT -p tcp --syn -s 192.168.0.0/24 -i eth1 --dport 445 -j ACCEPT
    
    #- dhcp on 67 & 68
            iptables -A INPUT -p udp -s 192.168.0.0/24 -i eth1 --dport 67:68 --sport 67:68 -j ACCEPT
    
    #- cups on 631
            iptables -A INPUT -p tcp --syn -s 192.168.0.0/24 -i eth1 --dport 631 -j ACCEPT
    
    #########################
    # Port forwarding
    #########################
    
            iptables -A INPUT -p tcp --dport 2223 -j ACCEPT
            iptables -A FORWARD -p tcp -d 192.168.0.97 --dport 80 -j ACCEPT
            iptables -t nat -i eth1 -A PREROUTING -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.97:80
    It's running on opensuse (9.3 I think)

  2. #2
    Linux Newbie Ziplock's Avatar
    Join Date
    Jan 2009
    Location
    Adelaide
    Posts
    169
    Have you turned on port forwarding in the kernel?

    Code:
    echo "1" > /proc/sys/net/ipv4/ip_forward
    You will need to put this in your firewall script as it will be reset at boot time.

  3. #3
    Just Joined!
    Join Date
    Apr 2009
    Posts
    4
    Please look at the above script, I quote:

    # activate forwarding in the kernel
    echo 1 > /proc/sys/net/ipv4/ip_forward
    The whole script runs fine, except the port forwarding

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by v1pEr View Post
    iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.97:80
    This is saying before routing the packet DNAT everything directed to port 2223.
    This rule doesn't care what interface it is coming in on.
    Are you sure this is what you want?

    iptables -A INPUT -p tcp --dport 2223 -j ACCEPT
    Since you have the above rule this rule never takes affect as all traffic is DNAT'ed before it is routed.

    Remember the flow of iptables

    PREROUTE
    INPUT/OUTPUT/FORWARD
    POSTROUTE

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Apr 2009
    Posts
    4
    I must admit that i don't really have a lot of knowledge about iptables. I can handle my way around a distro fairly enough for what I need idt (running and maintaining a home server/router/gateway/mailserver) but the script above is somewhat the result of a combination of various scripts I found on the internet and trial and error.

    Some help on this would be greatly appreciated.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •