Port Forwarding Problem

Julian Labuschagne personxx at wan4u.co.za
Fri Apr 15 13:23:31 CEST 2005


Samuel Díaz García wrote:

> Without having a look into your scripts, I think you need:
> 1) Allow INPUT into filter table to the port.
> 2) Allow FORDWARD into filter table to the redirected conection.
> Good luck.
>
Line 56: $IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 800 -j ACCEPT
Line 57: $IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 800 -j ACCEPT
Line 58:
Line 59: # Forward Chain
Line 60: $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
Line 61: $IPTABLES -A FORWARD -o $LAN_IFACE -j ACCEPT

Line 85: $IPTABLES -A PREROUTING -t nat -p tcp -d $INET_IP --dport 800 
-j DNAT --to 192.168.1.5:800
Line 86: $IPTABLES -A PREROUTING -t nat -p udp -d $INET_IP --dport 800 
-j DNAT --to 192.168.1.5:800

This is a few lines from the attached firewall.
I think you may be reffering to these lines of the firewall script.

On Lines 56,57 I allow connections to my gateway on port 800
On Lines 60,61 I allow all connections in the forwarding chain.
And on Lines 85,86 is the port forwarding rules.

Kind Regards Julian.






-------------- next part --------------
#!/bin/bash

# Set path to iptables binary
IPTABLES=/usr/sbin/iptables

#
# Loopback IP and Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# Internet IP and Interface
#
INET_IP=`/sbin/ifconfig ppp0 | grep "inet addr" | cut -d: -f2 | cut -d ' ' -f1`
INET_IFACE="ppp0"

#
# LAN Range, IP Address and Interface
#
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"

# 
# Set default policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Flush Chains
#
$IPTABLES -F
$IPTABLES -t nat -F

#
# Allow loopback interface
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT

# Output Chain
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 110 -j ACCEPT

# Input Chain
$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m state --state established,related -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp -m state --state established,related -j ACCEPT

$IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 800 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 800 -j ACCEPT

# Forward Chain
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -o $LAN_IFACE -j ACCEPT

#
# Allow ICMP
#
$IPTABLES -A OUTPUT -o $INET_IFACE -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p icmp -j ACCEPT

#
# Users allowed internet access
#
$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.143 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.143 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.5 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.5 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.8 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.8 -j ACCEPT


#
# Add port forwarding rule
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800
$IPTABLES -A PREROUTING -t nat -p udp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800

#
# Masquerade LAN users (Internet Sharing)
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP


More information about the netfilter mailing list