[sclug] iptables and port forwarding

lug at assursys.co.uk lug at assursys.co.uk
Sat Oct 25 09:05:46 UTC 2003 

On Fri, 4 Jul 2003, Patrick Kirk wrote:

> Hi all,
> 
> I am trying to run emule behind a firewall and finding it a bit of  a 
> pain.  Basically I need tcp port 4661 4662 and udp 4665 to appear to be 
> on my firewalled machine.

Something like this should work:

> What I've come up with is this:
> 
> # Define system variables
> PATH=/sbin:$PATH; export PATH
> IPTABLES=/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> hostname=enterprise
> any="0.0.0.0/0.0.0.0"
> 
> # Define connection variables
> 
> EXTIF="ppp0"
> INTIF="eth0"
> # Find address ETH0-ROUTE-MASK
> EXTIP="`ifconfig $EXTIF | grep inet | cut -d':' -f 2 | cut -f1 -d' '`"
> EXTGW="`route -n | grep -A 4 UG | awk '{ print $2}'`"
> INTIP="`ifconfig eth0 | grep inet | cut -d':' -f 2 | cut -f1 -d' '`"
> INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
> INTLAN=$INTIP'/'$INTMASK
> # Show it works just in case I run it interactively
> echo "   External Interface:  $EXTIF"
> echo "   External Address:  $EXTIP"
> 
> [snip]
> 
> # eMule on Voyager
> echo "Enabling tcp port 4661 and 4662 and udp port 4665 forwarding to 
> Voyager"
> 
> # Masquerade (SNAT) outgoing traffic
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.25 -p tcp --sport 4661 -j 
> MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.25 -p tcp --sport 4662 -j 
> MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.25 -p udp --sport 4665 -j 
> MASQUERADE
> 

# DNAT incoming traffic
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 4661 -j DNAT 
--to-destination 192.168.0.25:4661
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 4662 -j DNAT 
--to-destination 192.168.0.25:4662
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --dport 4665 -j DNAT 
--to-destination 192.168.0.25:4665

$IPTABLES -t filter -A FORWARD -d 192.168.0.25 -p tcp -m tcp --dport 4661 -j ACCEPT
$IPTABLES -t filter -A FORWARD -d 192.168.0.25 -p tcp -m tcp --dport 4662 -j ACCEPT
$IPTABLES -t filter -A FORWARD -d 192.168.0.25 -p udp -m udp --dport 4665 -j ACCEPT

$IPTABLES -t filter -A OUTPUT -d 192.168.0.25 -p tcp -m tcp --dport 4661 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d 192.168.0.25 -p tcp -m tcp --dport 4662 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d 192.168.0.25 -p udp -m udp --dport 4665 -j ACCEPT

To be fair, I'm not entirely /sure/ how much of that is necessary, but
that's what I use to do DNAT here.

Remember to add these rules near the top of each chain definition, otherwise
earlier rules could drop or reject the packets.

Let me know how you get on.

Best Regards,
Alex.
-- 
Alex Butcher      Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                      Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                         <http://www.assursys.com/>

More information about the Sclug mailing list