Link to home
Start Free TrialLog in
Avatar of saikit
saikit

asked on

iptables port forward

I want to forward all port 80 to a internal server, but can't make it work.  My config are as follows:

The iptables server:
eth0 : 2xx.xxx.xxx.37
eth0 : 2xx.xxx.xxx.38 (alias)
eth1 : 192.168.0.1

iptables commands that I had run:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2

The internal server:
eth0: 192.168.0.2
eth0: 2xx.xxx.xxx.38 (alias)
gateway: 192.168.0.1

Ping from outside (my home) to 2xx.xxx.xxx.37 or 2xx.xxx.xxx.38 (Office) are okay.


What's missing/wrong? Please advise. Thanks. :)
Avatar of 5733133
5733133

You might want to set up 2XX.XXX.XXX.38 as a virtual interface (eth0:0)

then make your rules:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0:0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2

otherwise only the DNS (or /etc/hosts) knows where to direct traffic bound for 2xx.xxx.xxx.38

use ifconfig to make a virtual interface, like so...

ifconfig eth0:0 2xx.xxx.xxx.38 netmask 255.255.255.0


5733133
You don't _want_ to have the 2.xx.xxx.xxx.38 alias on the internal server!
(Read "don't _want_" as "must not"!)

I'd do
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 2.xx.xxx.xxx.37

(SNAT is preferred to MASQUERADE when using static IPs as it is faster)

HTH,
-XoF-
Don't know, but happend to me once; forgot to add a rule like
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
ever tried this setup?
and this MUST work ;)

The iptables server:
eth0 : 2xx.xxx.xxx.37
eth0 : 2xx.xxx.xxx.38 (alias)
eth1 : 192.168.0.1


iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 2xx.xxx.xxx.38
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2

The internal server:
eth0: 192.168.0.2
gateway: 192.168.0.1



i bet this works ;)
have phun

ASKER CERTIFIED SOLUTION
Avatar of XoF
XoF

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@XoF:
hmm i think your example would never work...
your example above:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
 - this line means every (!!) packet that comes on eth0 and is addressed to port 80 gets redirected to 192.168.0.2

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 2.xx.xxx.xxx.37
 - and this line just forwards the packets of the internal net 192.168. into the inet, just with changed source ip address...
 - every answer that comes back is by remote addressed to 2xx.xxx.xxx.37 which doesnt know about any connection it has tried to do...
 - these packets are not even redirected to another host, so it will be surely discarded
 - therefore you need MASQUERADE... NAT for all the pc's behind will only work with MORE ip adresses

so if a computer behind the firewall tries to set up a connection, the packet arrives the remote host..
the remote host sends back this packet.. that packet is discarded at the firewall

why did u remove the masquerading line?
SNAT is not masquerading, but masquerading is special SNAT ;)


of course i swapped the first two lines, sorry - i'm used to do a '-I' insted of '-A' so i messed it up
this is correct:
iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 2xx.xxx.xxx.38
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2



g3gg0:
What does then your rule do, except redirecting every packet regardless of interface (which is the same)??
iptables -t nat -A PREROUTING -p tcp -d 2xx.xxx.xxx.38 --dport 80 -j DNAT --to 192.168.0.2

As for 2.4.20 kernel SNAT keeps track of packets (AFAIK they don't intend to change that), so it's almost the same as MASQUERADE, though SNAT is preferred (at least by iptables documentation) when static ips are used. That's because MASQUERADE drops all tracking info when ips are changed, but SNAT doesn't, ehich means if your link goes down and the comes up there is (theoretical) possibility that some connections can be continued.
saikit:
- are you still out there?
- the problem with your rules is the following:
a client sends a request to .38 which will be forwarded to 192.168.0.2. that server sends a response which has - due to the masquerading - a source address of .37 at the client side. So you won't establish any connections.....
that's why you need the seperate SNAT rule......



g3gg0:

> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
> - this line means every (!!) packet that comes on eth0 and is addressed to port 80 gets redirected to 192.168.0.2

Hmm, didn't you actually propose the same rule for DNAT?
IMHO this rule is absolutely correct!

According to the SNAT/MASQUERADE question:
As already mentioned by problems_maker, netfilter is _stateful_ and so keeps track of existing connections.
As read in "man iptables":

 MASQUERADE
     This target is  only  valid  in  the  nat  table,  in  the
     POSTROUTING  chain.   It  should only be used with dynami-
     cally assigned IP (dialup)  connections:  if  you  have  a
     static  IP  address, you should use the SNAT target.  Mas-­
     querading is equivalent to specifying a mapping to the  IP
     address of the interface the packet is going out, but also
     has the effect that connections  are  forgotten  when  the
     interface  goes  down.   This is the correct behavior when
     the next dialup is unlikely to  have  the  same  interface
     address  (and  hence  any established connections are lost
     anyway).  It takes one option:



HAND,
-XoF-
Avatar of saikit

ASKER

XoF, I followed and successed!!

Many thanks!
go to this site

www.linuxjalali.com

make forum registration.    here admin reply you directly in minuts.

www.linuxjalali.com/forum

The great Linux Related Tools Are Also In This Website free downloads.