iptables for webserver with NAT

**einKI** · 08-31-2006

Hi

I am working on this iptables for some time now and would appreciate any help.
My network is configured as follow (I use vmware for the server in case you wonder about the strange adapter names)

Laptop | eth0 (192.168.1.1) <-> eth0 (192.168.1.2) | Server | vmware8 (172.16.139.1) <-> (172.16.139.2) | VmwareWebServer

The following works
On Server : ping 172.16.139.2
On Server: telnet 172.16.139.2 80
On Laptop: ping 192.168.1.2

I would like to get this to work
On Laptop: telnet 192.168.1.2 80

this request should be forwarded to the VmwareWebServer.
To accomplish this I set tried the following rules on the server.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.139.2:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT

However it doesn't work I can not connect to the WebServer from my laptop.
thx
Lukas

**framp** · 08-31-2006

You don't need an INPUT rule because your server acts as a router between your Labtop and VMWARE. Just add FORWARD rules for both directions.

**einKI** · 08-31-2006

Hi

sorry that I have to ask one more time but I don't get this stuff to run.
I tried your suggestion with the FORWARD chain and tried to be as less
permissive as possible to avoid any error.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.139.2:80

iptables -A FORWARD -i eth0 -o vmware8 -j ACCEPT
iptables -A FORWARD -i vmware8 -o eth0 -j ACCEPT

Now i traffic between eth0 and vmware8 is allowed and the incoming packets on port 80 are redirected to the server.
But it still doesn't work

thx

**framp** · 08-31-2006

Do you have already active iptables rules when you add your rules? Then use -I instead of -A in your rules.

**einKI** · 08-31-2006

Hi

I don't have any predefined rules for iptables when i use iptables -L I get
the following

#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

#iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:172.16.139.2:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

It looks correct to me

**framp** · 09-01-2006

Did you setup your server to act as a router?

Code:

cat /proc/sys/net/ipv4/ip_forward

should return 1

**amitsharma_26** · 09-12-2006

Originally Posted by einKI

Laptop | eth0 (192.168.1.1) <-> eth0 (192.168.1.2) | Server | vmware8 (172.16.139.1) <-> (172.16.139.2) | VmwareWebServer

I would like to get this to work
On Laptop: telnet 192.168.1.2 80

this request should be forwarded to the VmwareWebServer.
To accomplish this I set tried the following rules on the server.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.139.2:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT

However it doesn't work I can not connect to the WebServer from my laptop.
thx
Lukas

Add iptables -A POSTROUTING -t nat -d 172.16.139.2 -j SNAT --to-source 172.16.139.1
If you donot have your server to be mentioned as GATEWAY on your VMWARE server box... you got to need the above rule as well.
(And i am assuming that you have server-box acting as your laptop gateway as well)

Though this will help you.. Port forwarding tutorial http://amitsharma.linuxbloggers.com/portforwarding.htm

**gtmtnbiker98** · 09-12-2006

When you setup the guest OS did you use NAT or bridged networking?

Thread Tools

Display

iptables for webserver with NAT

Posting Permissions