Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to IP Masquerade and Port Forward with a Dynamic IP using Iptables

Posted on 2004-09-06
Medium Priority
Last Modified: 2010-03-18

I feel i should know the answer to this question from reading a number of tutorials and how-tos however no matter how many differnt ways I try beat up IPtables i cant seem to make it work, so its time to bow out and ask an expert (also thought it would be useful for others)

this is my setup

I have one linux (fedora core 2) box set up to act as router/firewall with two NICs
                        one external connected to a cable modem using DHCP - eth0
                        one internal connected to a LAN assigned - eth1

On the LAN i have a Windows(2K) box set up acting as a web server it is assigned

The Web server has been thoroughly tested and is working fine so no probs there

I wish to share the internet connection with the machines on the LAN - IP Masqueading

          which if i am correct is achieved using

             iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And i wish to Port Forward all HTTP Requests to the webserver - i belive using

            iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to

I have tried this as above however but to know avail

IP forwarding has be enabled in /etc/sysctl1.conf

Any help would be appreciated

Question by:tallsi2000
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 40

Expert Comment

ID: 11992653
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That is correct for a Dynamic outside IP.

> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to

And that is correct also. I don't know what your default INPUT stance is, but if it is DENY you'll also need a rule to allow the inbound HTTP request, like:

iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT

If your clients have outward connectivity things are set up correctly and adding the INPUT rule for HTTP traffic should make things work.

FYI: The IPtables rule set that I use can be seen at http://www.entrophy-free.net/tools/iptables-gw. It is probably a bit more complete than what you are currently using and should give you some ideas.

Author Comment

ID: 11992842
Thanks jlevie

These are the rules that i am using

# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) INPUT chain rules

# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s -j ACCEPT

# Rules for incoming packets from the Internet

# Packets for establishedconnections
iptables -A INPUT -p ALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#TCP rules

iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT

#UDP rules

#ICMP rules

# (3) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s -j ACCEPT
iptables -A OUTPUT -p ALL -s -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT

# (5) PREROUTING chain rules
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to

# (6) POSTROUTING chain rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Also forgot to point out that the IP masquerading was working fine and it is just the port forwarding i am having trouble with.

Have also discovered that Port 25 is forwarding fine as I'm recieving mail with no problems

When i attempt to access a website on the web server using the IP address of eth0 the webservers appear to connect but then time-out without retrieving any data.

I have only been able to test this using the router/firewall computer and computers connected to the LAN, I haven't yet been able to test from a computer on the internet.

Will this make a difference, any other sugestions.

Regard TallSi

LVL 40

Expert Comment

ID: 11992871
> I have only been able to test this using the router/firewall computer and computers connected to the LAN

An IPtables firewall won't allow you to use an inside machine to connect to the outside IP of the port forward. You can only test the web server from outside.

Since the SMTP port forward works and it is equivalent to the set up for the HTTP port I think you'll find that it will work also, at least as far as packets hitting the firewall and being forwarded to your web server. And as long as the windows box's web server will respond to requests from any IP everything should work.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 11992905
Cool Thanks

I guess the next question is can I make it so that internal machines can access the web server.

Such as editing their hosts files or using a DNS server

Regard Tall Si


Expert Comment

ID: 11993110
yes, create an "A" record for the web address for the IP on the DNS ot in their hosts file.
LVL 40

Accepted Solution

jlevie earned 1000 total points
ID: 11993671
I think what jonnietexas was trying to say is that you need to make it so that machines on the local LAN have access to data that equates the hostname of the web server to its private IP, rather than its public IP. One way of doing this is to create hosts file records on each machine, e.g.:       www.mydomain.com

Another is to run a private DNS server inside of the firewall that equates hostnames for the domain to private IP's. You can set that DNS up to forward queries to your ISP's name severs and reduce the load on your Internet link as a result of the caching in the local & the ISP's DNS servers.

Expert Comment

ID: 11995964
yep, that's what I said ;)

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question