[Nottingham] Port forwarding with iptables

Phil Lakin nottingham at mailman.lug.org.uk
Tue Apr 29 15:59:01 2003 

On Tue, 2003-04-29 at 15:42, Steve Goodliff wrote:
> 
> 
> Hello All,
> 
> Please can anyone help me out with my latest linux networking conundrum.
> 
> I have a redhat 8.0 machine with 3 NIC's. 2 of them are connected to ADSL
> routers and the 3rd to our internal network.
> 
> Both routers have web front ends which I would like to access by connecting
> to the redhat box and then move onto some sort of balancing traffic across
> the 2.
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
> 192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         192.168.254.254 0.0.0.0         UG    0      0        0 eth0
> 
> The redhat box has the ip address of 10.1.1.2. I've tried the Port
> forwarding stuff off the netfilter howto but can't get it working. The
> machine also runs NAT for the clients on the 10.x network.
> 
> iptables -t nat -A PREROUTING -p tcp --dport 8080  -d 10.1.1.2 -j
> DNAT --to-destination 192.168.1.1:80
> 
> I've tried setting the FORWARD policy set to ACCEPT but that doesn't help
> matters.
> 
> Any suggestions would be much welcome.
> 
> Steve G
> 
> 

Hi Steve,

I have a similar setup here, and this is how I've solved the problem..

iptables -t nat -A PREROUTING -s 0/0 -i <external interface> -d
<external ip>/32 -m tcp -p tcp --dport 80 -j DNAT --to <interal ip>

iptables -t filter -A FORWARD -i <external inferface> -d <internal ip>
-m tcp -p tcp --dport 80 -j ACCEPT

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT


A handy way of debugging your iptables scripts is to add a log rule
before your terminating deny rules.

You can also use the /etc/sysconfig/iptables script to keep the rules
in, instead of writing a specific script to run them all for you.

Hope this helps,

Phil Lakin