[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Port Forwarding & iptables



I was able to solve my problem using SNAT in postrouting. Giving little detail I wrote:

I've installed valhalla on a pc to act as a firewall with NAT and port
forwarding. The masqurading works but not the forwarding. I've located
numerous scripts and am now purusing the iptable tutorial from
frozentux.net but am asking for your help. These two lines aren't making
it, any ideas?

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 80 -j DNAT
--to-destination $PORTFWIP

$IPTABLES -A FORWARD -o $INTIF -p tcp -d $PORTFWIP --dport 80 -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT


iptables -L shows:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.10.1.3          tcp dpt:http
state NEW,RELATED,ESTABLISHED

I want to forward http packets through the firewall to an internal web server.


Among other things I neglected to include was that the output of /proc/net/ip_conntrack showed the packet was received and forwarded but left unreplied. The lan in question has two gateways to the internet (we're in the process of switching) and I'm guessing replied packets used the existing ISDN gateway, not this (new) one. Internal Novell 5.0 servers, I have no idea how they know where the gateways are (and neither do they!) is this from using RIP?

I observed in ip_conntrack that the packets read source=client_ip dest=firewall-inet_ip forwarded as source=client_ip dest=internalwww_ip. I believe that in replying to client_ip that the packets weren't sent back to firewall-lan_ip but routed to the existing ISDN Ascend router.

I used SNAT in postrouting rewriting the forwarded packet source ip to read firewall-lan_ip, not the client_ip. Something like

$IPTABLES -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT
--to-source $PORTFWIP

Now packets read in ip_conntrack like source=client_ip dest=firewall-inet_ip forwarded as source=firewall-lan_ip dest=internalwww_ip. The webserver replies to the internal firewall address which is forwarded back to the client_ip. None of this source is from the working ruleset but hopefully illustrates the point. 3 lines needed here; DNAT in prerouting, Forward, and SNAT in postrouting.

My thanks to the iptables tutorial at frozentux.net and it's author Oskar, still not an easy read but the best I've seen so far.

bill






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]