Solved

How to IP Masquerade and Port Forward with a Dynamic IP using Iptables

Posted on 2004-09-06
7
521 Views
Last Modified: 2010-03-18
HI

I feel i should know the answer to this question from reading a number of tutorials and how-tos however no matter how many differnt ways I try beat up IPtables i cant seem to make it work, so its time to bow out and ask an expert (also thought it would be useful for others)

this is my setup

I have one linux (fedora core 2) box set up to act as router/firewall with two NICs
                        one external connected to a cable modem using DHCP - eth0
                        one internal connected to a LAN assigned 192.168.1.1 - eth1

On the LAN i have a Windows(2K) box set up acting as a web server it is assigned 192.168.1.2

The Web server has been thoroughly tested and is working fine so no probs there

I wish to share the internet connection with the machines on the LAN - IP Masqueading

          which if i am correct is achieved using

             iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And i wish to Port Forward all HTTP Requests to the webserver - i belive using

            iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2


I have tried this as above however but to know avail

IP forwarding has be enabled in /etc/sysctl1.conf

Any help would be appreciated


0
Comment
Question by:tallsi2000
  • 3
  • 2
  • 2
7 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That is correct for a Dynamic outside IP.

> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2

And that is correct also. I don't know what your default INPUT stance is, but if it is DENY you'll also need a rule to allow the inbound HTTP request, like:

iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT

If your clients have outward connectivity things are set up correctly and adding the INPUT rule for HTTP traffic should make things work.

FYI: The IPtables rule set that I use can be seen at http://www.entrophy-free.net/tools/iptables-gw. It is probably a bit more complete than what you are currently using and should give you some ideas.
0
 

Author Comment

by:tallsi2000
Comment Utility
Thanks jlevie

These are the rules that i am using

# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) INPUT chain rules

# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 192.168.1.255 -j ACCEPT


# Rules for incoming packets from the Internet

# Packets for establishedconnections
iptables -A INPUT -p ALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#TCP rules

iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT

#UDP rules


#ICMP rules


# (3) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT

# (5) PREROUTING chain rules
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2

# (6) POSTROUTING chain rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Also forgot to point out that the IP masquerading was working fine and it is just the port forwarding i am having trouble with.

Have also discovered that Port 25 is forwarding fine as I'm recieving mail with no problems

When i attempt to access a website on the web server using the IP address of eth0 the webservers appear to connect but then time-out without retrieving any data.

I have only been able to test this using the router/firewall computer and computers connected to the LAN, I haven't yet been able to test from a computer on the internet.

Will this make a difference, any other sugestions.

Regard TallSi

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
> I have only been able to test this using the router/firewall computer and computers connected to the LAN

An IPtables firewall won't allow you to use an inside machine to connect to the outside IP of the port forward. You can only test the web server from outside.

Since the SMTP port forward works and it is equivalent to the set up for the HTTP port I think you'll find that it will work also, at least as far as packets hitting the firewall and being forwarded to your web server. And as long as the windows box's web server will respond to requests from any IP everything should work.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:tallsi2000
Comment Utility
Cool Thanks

I guess the next question is can I make it so that internal machines can access the web server.

Such as editing their hosts files or using a DNS server

Regard Tall Si



0
 
LVL 4

Expert Comment

by:jonnietexas
Comment Utility
yes, create an "A" record for the web address for the IP on the DNS ot in their hosts file.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
Comment Utility
I think what jonnietexas was trying to say is that you need to make it so that machines on the local LAN have access to data that equates the hostname of the web server to its private IP, rather than its public IP. One way of doing this is to create hosts file records on each machine, e.g.:

192.168.1.2       www.mydomain.com

Another is to run a private DNS server inside of the firewall that equates hostnames for the domain to private IP's. You can set that DNS up to forward queries to your ISP's name severs and reduce the load on your Internet link as a result of the caching in the local & the ISP's DNS servers.
0
 
LVL 4

Expert Comment

by:jonnietexas
Comment Utility
yep, that's what I said ;)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now