iptables and port forwarding

tschulte
tschulte used Ask the Experts™
on
I'm having issues setting up port forwarding. I'm running Slackware 8.1 with the 2.4.19 kernel and iptables 1.2.6a.
I'm using iptables but I just can't get it to forward the ports to incoming connections.  I have a box inside the network that is serving FTP and HTTP, I want to forward all HTTP and FTP traffic from eth0 to 192.168.1.12 below is the script that I have for HTTP and another one that I tried is commented out, any help would be greatly appreciated...

--------------------------------------------
echo "Starting HTTP Forward"
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.1.12 --dport 80 -j DNAT --to 192.168.1.12:80
iptables -I INPUT 1 -i eth0 -p tcp -d 192.168.1.12 --dport 80 -j ACCEPT

#iptables -A FORWARD -p tcp -i eth0 --destination-port 80 -j ACCEPT
#iptables -A PREROUTING -t nat -p tcp -i eth0 --destination-port 80 -j DNAT --to 65.217.89.186:80
#iptables -A INPUT -p tcp -i eth1 --destination-port 80 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Mihai BarbosTrying to tame bits. They're nasty.
Commented:
Change the first rule from -d 192.168.1.12 to -d 65.217.89.186

Author

Commented:
you a player mbarbos?  I never expected that comment :P and even so it doesn't work, that's why I'm asking...
Commented:
You also need to SNAT the packets to your internal web server as otherwise it will try to respond to the external user directly, which will obviously not work.

Try the following instead :-

iptables -t nat -A PREROUTING -d <FirewallExternalIP>/255.255.255.255 -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.1.12
iptables -t nat -A POSTROUTING -d 192.168.1.12/255.255.255.255 -m tcp -p tcp --dport 80 -j SNAT --to-source <FirewallInternalIP>

Where <FirewallExternalIP> is replaced with the IP address of your public interface (eth0?)

and

<FirewallInternalIP> is the IP address of your internal interface, presumably something like 192.168.1.1

If that does not work, then I would highly recommend checking out this tutorial : http://iptables-tutorial.haringstad.com/iptables-tutorial.html

Hope this helps!

DrCamel


--
Simon Morley
Network Manager for Xara Online Ltd
DDI: +44 1442 351024

tschulte:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.

Commented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept DrCamel's comment as answer.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

troopern
EE Cleanup Volunteer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial