How to IP Masquerade and Port Forward with a Dynamic IP using Iptables


I feel i should know the answer to this question from reading a number of tutorials and how-tos however no matter how many differnt ways I try beat up IPtables i cant seem to make it work, so its time to bow out and ask an expert (also thought it would be useful for others)

this is my setup

I have one linux (fedora core 2) box set up to act as router/firewall with two NICs
                        one external connected to a cable modem using DHCP - eth0
                        one internal connected to a LAN assigned - eth1

On the LAN i have a Windows(2K) box set up acting as a web server it is assigned

The Web server has been thoroughly tested and is working fine so no probs there

I wish to share the internet connection with the machines on the LAN - IP Masqueading

          which if i am correct is achieved using

             iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And i wish to Port Forward all HTTP Requests to the webserver - i belive using

            iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to

I have tried this as above however but to know avail

IP forwarding has be enabled in /etc/sysctl1.conf

Any help would be appreciated

Who is Participating?
jlevieConnect With a Mentor Commented:
I think what jonnietexas was trying to say is that you need to make it so that machines on the local LAN have access to data that equates the hostname of the web server to its private IP, rather than its public IP. One way of doing this is to create hosts file records on each machine, e.g.:

Another is to run a private DNS server inside of the firewall that equates hostnames for the domain to private IP's. You can set that DNS up to forward queries to your ISP's name severs and reduce the load on your Internet link as a result of the caching in the local & the ISP's DNS servers.
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That is correct for a Dynamic outside IP.

> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to

And that is correct also. I don't know what your default INPUT stance is, but if it is DENY you'll also need a rule to allow the inbound HTTP request, like:

iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT

If your clients have outward connectivity things are set up correctly and adding the INPUT rule for HTTP traffic should make things work.

FYI: The IPtables rule set that I use can be seen at It is probably a bit more complete than what you are currently using and should give you some ideas.
tallsi2000Author Commented:
Thanks jlevie

These are the rules that i am using

# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) INPUT chain rules

# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s -j ACCEPT

# Rules for incoming packets from the Internet

# Packets for establishedconnections
iptables -A INPUT -p ALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#TCP rules

iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT

#UDP rules

#ICMP rules

# (3) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s -j ACCEPT
iptables -A OUTPUT -p ALL -s -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT

# (5) PREROUTING chain rules
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to

# (6) POSTROUTING chain rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Also forgot to point out that the IP masquerading was working fine and it is just the port forwarding i am having trouble with.

Have also discovered that Port 25 is forwarding fine as I'm recieving mail with no problems

When i attempt to access a website on the web server using the IP address of eth0 the webservers appear to connect but then time-out without retrieving any data.

I have only been able to test this using the router/firewall computer and computers connected to the LAN, I haven't yet been able to test from a computer on the internet.

Will this make a difference, any other sugestions.

Regard TallSi

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

> I have only been able to test this using the router/firewall computer and computers connected to the LAN

An IPtables firewall won't allow you to use an inside machine to connect to the outside IP of the port forward. You can only test the web server from outside.

Since the SMTP port forward works and it is equivalent to the set up for the HTTP port I think you'll find that it will work also, at least as far as packets hitting the firewall and being forwarded to your web server. And as long as the windows box's web server will respond to requests from any IP everything should work.
tallsi2000Author Commented:
Cool Thanks

I guess the next question is can I make it so that internal machines can access the web server.

Such as editing their hosts files or using a DNS server

Regard Tall Si

yes, create an "A" record for the web address for the IP on the DNS ot in their hosts file.
yep, that's what I said ;)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.