tallsi2000
asked on
How to IP Masquerade and Port Forward with a Dynamic IP using Iptables
HI
I feel i should know the answer to this question from reading a number of tutorials and how-tos however no matter how many differnt ways I try beat up IPtables i cant seem to make it work, so its time to bow out and ask an expert (also thought it would be useful for others)
this is my setup
I have one linux (fedora core 2) box set up to act as router/firewall with two NICs
one external connected to a cable modem using DHCP - eth0
one internal connected to a LAN assigned 192.168.1.1 - eth1
On the LAN i have a Windows(2K) box set up acting as a web server it is assigned 192.168.1.2
The Web server has been thoroughly tested and is working fine so no probs there
I wish to share the internet connection with the machines on the LAN - IP Masqueading
which if i am correct is achieved using
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
And i wish to Port Forward all HTTP Requests to the webserver - i belive using
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2
I have tried this as above however but to know avail
IP forwarding has be enabled in /etc/sysctl1.conf
Any help would be appreciated
I feel i should know the answer to this question from reading a number of tutorials and how-tos however no matter how many differnt ways I try beat up IPtables i cant seem to make it work, so its time to bow out and ask an expert (also thought it would be useful for others)
this is my setup
I have one linux (fedora core 2) box set up to act as router/firewall with two NICs
one external connected to a cable modem using DHCP - eth0
one internal connected to a LAN assigned 192.168.1.1 - eth1
On the LAN i have a Windows(2K) box set up acting as a web server it is assigned 192.168.1.2
The Web server has been thoroughly tested and is working fine so no probs there
I wish to share the internet connection with the machines on the LAN - IP Masqueading
which if i am correct is achieved using
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
And i wish to Port Forward all HTTP Requests to the webserver - i belive using
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2
I have tried this as above however but to know avail
IP forwarding has be enabled in /etc/sysctl1.conf
Any help would be appreciated
ASKER
Thanks jlevie
These are the rules that i am using
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (2) INPUT chain rules
# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 192.168.1.255 -j ACCEPT
# Rules for incoming packets from the Internet
# Packets for establishedconnections
iptables -A INPUT -p ALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#TCP rules
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
#UDP rules
#ICMP rules
# (3) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
# (5) PREROUTING chain rules
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2
# (6) POSTROUTING chain rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Also forgot to point out that the IP masquerading was working fine and it is just the port forwarding i am having trouble with.
Have also discovered that Port 25 is forwarding fine as I'm recieving mail with no problems
When i attempt to access a website on the web server using the IP address of eth0 the webservers appear to connect but then time-out without retrieving any data.
I have only been able to test this using the router/firewall computer and computers connected to the LAN, I haven't yet been able to test from a computer on the internet.
Will this make a difference, any other sugestions.
Regard TallSi
These are the rules that i am using
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (2) INPUT chain rules
# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 192.168.1.255 -j ACCEPT
# Rules for incoming packets from the Internet
# Packets for establishedconnections
iptables -A INPUT -p ALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#TCP rules
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
#UDP rules
#ICMP rules
# (3) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
# (5) PREROUTING chain rules
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2
# (6) POSTROUTING chain rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Also forgot to point out that the IP masquerading was working fine and it is just the port forwarding i am having trouble with.
Have also discovered that Port 25 is forwarding fine as I'm recieving mail with no problems
When i attempt to access a website on the web server using the IP address of eth0 the webservers appear to connect but then time-out without retrieving any data.
I have only been able to test this using the router/firewall computer and computers connected to the LAN, I haven't yet been able to test from a computer on the internet.
Will this make a difference, any other sugestions.
Regard TallSi
> I have only been able to test this using the router/firewall computer and computers connected to the LAN
An IPtables firewall won't allow you to use an inside machine to connect to the outside IP of the port forward. You can only test the web server from outside.
Since the SMTP port forward works and it is equivalent to the set up for the HTTP port I think you'll find that it will work also, at least as far as packets hitting the firewall and being forwarded to your web server. And as long as the windows box's web server will respond to requests from any IP everything should work.
An IPtables firewall won't allow you to use an inside machine to connect to the outside IP of the port forward. You can only test the web server from outside.
Since the SMTP port forward works and it is equivalent to the set up for the HTTP port I think you'll find that it will work also, at least as far as packets hitting the firewall and being forwarded to your web server. And as long as the windows box's web server will respond to requests from any IP everything should work.
ASKER
Cool Thanks
I guess the next question is can I make it so that internal machines can access the web server.
Such as editing their hosts files or using a DNS server
Regard Tall Si
I guess the next question is can I make it so that internal machines can access the web server.
Such as editing their hosts files or using a DNS server
Regard Tall Si
yes, create an "A" record for the web address for the IP on the DNS ot in their hosts file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yep, that's what I said ;)
That is correct for a Dynamic outside IP.
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.2
And that is correct also. I don't know what your default INPUT stance is, but if it is DENY you'll also need a rule to allow the inbound HTTP request, like:
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
If your clients have outward connectivity things are set up correctly and adding the INPUT rule for HTTP traffic should make things work.
FYI: The IPtables rule set that I use can be seen at http://www.entrophy-free.net/tools/iptables-gw. It is probably a bit more complete than what you are currently using and should give you some ideas.