Port Forwarding Problem
Julian Labuschagne
personxx at wan4u.co.za
Fri Apr 15 12:36:37 CEST 2005
Hi everyone I'm a bit new to iptables so please bear with me on this one ;)
I wrote a small firewall that basicaly nats users through my gateway
machine only allowing certain hosts on my network Web DNS and Mail access.
This section works fine.
But I also want to port forward any connections from outside to port 800
to a host running inside my LAN.
I added a rule in the PREROUTING table to do this.
But it seems that no connection gets forwarded.
If I set my default policies to ACCEPT and add the PREROUTING rule it
actualy does the port forwarding correctly.
I attached a copy of the firewall I wrote with this message.
Please can someone have a look through it for me cause I'm sure I'm just
missing something.
Kind Regards Julian.
-------------- next part --------------
#!/bin/bash
# Set path to iptables binary
IPTABLES=/usr/sbin/iptables
#
# Loopback IP and Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# Internet IP and Interface
#
INET_IP=`/sbin/ifconfig ppp0 | grep "inet addr" | cut -d: -f2 | cut -d ' ' -f1`
INET_IFACE="ppp0"
#
# LAN Range, IP Address and Interface
#
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"
#
# Set default policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# Flush Chains
#
$IPTABLES -F
$IPTABLES -t nat -F
#
# Allow loopback interface
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT
# Output Chain
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 110 -j ACCEPT
# Input Chain
$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m state --state established,related -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp -m state --state established,related -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 800 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 800 -j ACCEPT
# Forward Chain
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -o $LAN_IFACE -j ACCEPT
#
# Allow ICMP
#
$IPTABLES -A OUTPUT -o $INET_IFACE -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p icmp -j ACCEPT
#
# Users allowed internet access
#
$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.143 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.143 -j ACCEPT
$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.5 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.5 -j ACCEPT
$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.8 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.8 -j ACCEPT
#
# Add port forwarding rule
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800
$IPTABLES -A PREROUTING -t nat -p udp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800
#
# Masquerade LAN users (Internet Sharing)
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
More information about the netfilter
mailing list