Port Forwarding Problem

Jason Opperisano opie at 817west.com
Fri Apr 15 16:40:38 CEST 2005

On Fri, Apr 15, 2005 at 10:40:39AM +0200, Samuel Díaz García wrote:
> Without having a look into your scripts, I think you need:
> 1) Allow INPUT into filter table to the port.
> 2) Allow FORDWARD into filter table to the redirected conection.

that's not exactly sagely advice.  in a port-forwarding situation, all
you need is the nat PREROUTING DNAT rule and a filter FORWARD rule.
since the destination IP is translated "prerouting" the translated
packet will never traverse the filter INPUT chain.

three line guide to "port-forwarding:"

  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 800 \
    -j DNAT --to-destination $INSIDE_HOST

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  iptables -A FORWARD -i $EXT_IF -p tcp --syn \
    -d $INSIDE_HOST --dport 800 -j ACCEPT


"Brian: She's a whiney little runt isn't she?
 Brian: What? I said runt."
        --Family Guy

More information about the netfilter mailing list