iptables - port forward

[v1pEr]

I'm using an iptables based script to firewall my gateway and I want to make one of the boxes on my inner network to be available to the outside.

I figured I needed portforwarding so I added the following rules:


iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.97:80

iptables -A INPUT -p tcp --dport 2223 -j ACCEPT

When I try to connect from 192.168.0.97 to 192.168.0.1:223 (my gateway) I get a time-out however, what am I doing wrong?

The full script:

Code:

# activate forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

# remove all current settings
iptables -F
iptables -X
#iptables -t nat -F
#iptables --delete-chain
#iptables --table nat --delete-chain

# ACCEPT output and forwarding by default, DROP INPUT by default
iptables -P INPUT  DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# ALLOW outbound traffic
iptables -A OUTPUT -o ra0 -j ACCEPT

# Use IP masquerading
iptables -t nat -A POSTROUTING -o ra0 -j MASQUERADE

# ALLOW established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

########################
# ALLOW extra services
#######################

##### From both inside & outside:

#- ssh on 2222
        iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

#- http on 8080
        iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

#- https on 8008
        iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
        iptables -A INPUT -p udp --dport 8008 -j ACCEPT

#- mysql on 3306
        iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

#- trackmania on 2350
        iptables -A INPUT -p tcp --dport 2350 -j ACCEPT
        iptables -A INPUT -p udp --dport 2350 -j ACCEPT

#- Torrents
        iptables -A INPUT -p tcp --dport 49160:49300 -j ACCEPT
        iptables -A INPUT -p udp --dport 49160:49300 -j ACCEPT

##### From inside only

#- samba on 139 & 445
        iptables -A INPUT -p tcp --syn -s 192.168.0.0/24 -i eth1 --dport 139 -j ACCEPT
        iptables -A INPUT -p tcp --syn -s 192.168.0.0/24 -i eth1 --dport 445 -j ACCEPT

#- dhcp on 67 & 68
        iptables -A INPUT -p udp -s 192.168.0.0/24 -i eth1 --dport 67:68 --sport 67:68 -j ACCEPT

#- cups on 631
        iptables -A INPUT -p tcp --syn -s 192.168.0.0/24 -i eth1 --dport 631 -j ACCEPT

#########################
# Port forwarding
#########################

        iptables -A INPUT -p tcp --dport 2223 -j ACCEPT
        iptables -A FORWARD -p tcp -d 192.168.0.97 --dport 80 -j ACCEPT
        iptables -t nat -i eth1 -A PREROUTING -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.97:80

It's running on opensuse (9.3 I think)

[Ziplock]

Have you turned on port forwarding in the kernel?

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

You will need to put this in your firewall script as it will be reset at boot time.

[v1pEr]

Please look at the above script, I quote:

# activate forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

The whole script runs fine, except the port forwarding

[Lazydog]

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.97:80

This is saying before routing the packet DNAT everything directed to port 2223.
This rule doesn't care what interface it is coming in on.
Are you sure this is what you want?

iptables -A INPUT -p tcp --dport 2223 -j ACCEPT

Since you have the above rule this rule never takes affect as all traffic is DNAT'ed before it is routed.

Remember the flow of iptables

PREROUTE
INPUT/OUTPUT/FORWARD
POSTROUTE

[v1pEr]

I must admit that i don't really have a lot of knowledge about iptables. I can handle my way around a distro fairly enough for what I need idt (running and maintaining a home server/router/gateway/mailserver) but the script above is somewhat the result of a combination of various scripts I found on the internet and trial and error.

Some help on this would be greatly appreciated.