Port Forwarding Problem

Julian Labuschagne personxx at wan4u.co.za
Fri Apr 15 12:36:37 CEST 2005


Hi everyone I'm a bit new to iptables so please bear with me on this one ;)

I wrote a small firewall that basicaly nats users through my gateway
machine only allowing certain hosts on my network Web DNS and Mail access.

This section works fine.

But I also want to port forward any connections from outside to port 800
to a host running inside my LAN.
I added a rule in the PREROUTING table to do this.

But it seems that no connection gets forwarded.

If I set my default policies to ACCEPT and add the PREROUTING rule it
actualy does the port forwarding correctly.

I attached a copy of the firewall I wrote with this message.

Please can someone have a look through it for me cause I'm sure I'm just
missing something.

Kind Regards Julian.



-------------- next part --------------
#!/bin/bash

# Set path to iptables binary
IPTABLES=/usr/sbin/iptables

#
# Loopback IP and Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# Internet IP and Interface
#
INET_IP=`/sbin/ifconfig ppp0 | grep "inet addr" | cut -d: -f2 | cut -d ' ' -f1`
INET_IFACE="ppp0"

#
# LAN Range, IP Address and Interface
#
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"

# 
# Set default policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Flush Chains
#
$IPTABLES -F
$IPTABLES -t nat -F

#
# Allow loopback interface
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT

# Output Chain
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 110 -j ACCEPT

# Input Chain
$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m state --state established,related -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp -m state --state established,related -j ACCEPT

$IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 800 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 800 -j ACCEPT

# Forward Chain
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -o $LAN_IFACE -j ACCEPT

#
# Allow ICMP
#
$IPTABLES -A OUTPUT -o $INET_IFACE -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p icmp -j ACCEPT

#
# Users allowed internet access
#
$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.143 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.143 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.5 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.5 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.8 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.8 -j ACCEPT


#
# Add port forwarding rule
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800
$IPTABLES -A PREROUTING -t nat -p udp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800

#
# Masquerade LAN users (Internet Sharing)
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP


More information about the netfilter mailing list