Find the answer to your Linux question:
Results 1 to 3 of 3
Hi everybody! I am trying to forward port 2080 from the public machine to an internal machine to port 80. --->|PUBLIC_IP:2080|--->LAN--->|10.0.0.101:80| So, to be more explicit, when I type in ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2007
    Posts
    10

    iptables port forwarding problem


    Hi everybody! I am trying to forward port 2080 from the public machine to an internal machine to port 80.

    --->|PUBLIC_IP:2080|--->LAN--->|10.0.0.101:80|

    So, to be more explicit, when I type in http :// public_ip:2080 it should give me the private machine in the lan that has a web server on it. My iptables is as follows:

    ==================IPTABLES - SOME PARTS MISSING=======================

    #!/bin/sh

    . /etc/rc.d/init.d/functions
    . /etc/sysconfig/network

    if [ ${NETWORKING} = "no" ]
    then
    exit 0
    fi
    if [ ! -x /sbin/iptables ]; then
    exit 0
    fi
    case "$1" in
    start)
    echo -n "Starting Firewalling: "

    EXTERNAL_INTERFACE="eth0"
    LOOPBACK_INTERFACE="lo"
    LOCAL_INTERFACE_1="eth1"
    INTRANET="10.0.0.0/16"

    /sbin/modprobe ip_tables
    /sbin/modprobe ipt_state
    /sbin/modprobe iptable_nat
    /sbin/modprobe iptable_filter
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ipt_MASQUERADE
    /sbin/modprobe iptable_mangle
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_MARK
    /sbin/modprobe ipt_REDIRECT
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_TOS
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_mac
    /sbin/modprobe ipt_mark
    /sbin/modprobe ipt_multiport
    /sbin/modprobe ipt_state
    /sbin/modprobe ipt_tos

    iptables -F
    iptables -F -t nat

    iptables -X

    #drop all incoming packets by default
    iptables -P INPUT DROP
    #let everything out from the inside
    iptables -P OUTPUT ACCEPT
    #forward all packets by default
    iptables -P FORWARD ACCEPT

    iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
    iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

    iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

    #nat for the lan
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    #I am redirecting 80 to 8080 to squid for transparent browsing proxy
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

    #here I'm opening port 2080 for access
    iptables -A INPUT -p tcp -m tcp --dport 2080 -j ACCEPT
    #forwarding port 2080 to 80
    iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 2080 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.0.101:80
    iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.101 -j ACCEPT
    #performing SNAT to the webserver
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.101


    ================================================== ====================


    The last lines are the most important in this case as well as the default INPUT, OUTPUT and FORWARD policies. For some reason if I do iptables -L -n, I don't see the specific port 2080 opened. The only thing I see that refers to 10.0.0.101 is here:

    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 10.0.0.0/16 0.0.0.0/0
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2080

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- anywhere 10.0.0.101

    No 10.0.0.101 on the OUTPUT chain or 2080...since OUTPUT is ACCEPT by default...

    If I do an nmap on the public IP, I don't see 2080 open and of course if I try to access the http :// public_ip:2080 gives me nothing... So that means that the port doesn't get forwarded or the packets get inside the LAN, but don't get out...!?

    What am I doing wrong? Thank you!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by bogdan_bartos View Post
    #nat for the lan
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    #performing SNAT to the webserver
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.101
    This will not work!

    iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 2080 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.0.101:80
    Try using ' -j DNAT --to-destination ' in the above.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jul 2007
    Posts
    10
    Hi there,

    Thank you for helping me. My mistake was that I thought port forwarding doesn't work since I could not see the http :// public_ip:2080, but it makes sense. I am able to see the page from the outside network, so all this time, it worked just fine. From the inside network, I can see the page with the private IP... I am such a fool!

    Cheers!

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •