5

I'm trying to setup a simple port forwarding firewall and I can't make the basic non-firewall configuration to work. I have setup the iptables script as follows

#!/bin/sh

# interfaces
LAN="eth1"
WAN="eth0"

# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# delete all existing rules to start from scratch
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# accept everything
iptables -A INPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT

# port forwarding to local machine
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.96

# masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

This script will not firewall anything but it should redirect port 80 on the gateway machine to my internal machine 192.168.1.96. This is not working. The problem is that I can't get from the outside into the inside machine. I don't even know how to start debugging. Any hints on where to look?

Ricardo Marimon
  • 529
  • 4
  • 11
  • 26

5 Answers5

1

Change:

# port forwarding to local machine
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.96

To:

 # port forwarding to local machine
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT \
 --to-destination 192.168.1.96:80
rkthkr
  • 8,503
  • 26
  • 38
1

Double-check with iptables -L -n -v --line, and with -t nat. What you did looks right to me. Also run tcpdump to see if you can see the TCP SYN och the outside (eth0) and on the inside (eth1) to make sure this is where it disappears.

"This is not working" is not a good description. What isn't working? Do you get timeout or connection refused?

Thomas
  • 1,446
  • 11
  • 16
  • You are right. This is what is hapenning. I can get from the outside to the inside and browse in my internal webserver (tomcat) for the first two pages. Once I need to enter login and password it just stops responding. I can browse from the internal pages without any problems. – Ricardo Marimon Jun 17 '09 at 14:32
  • By the way, the pages after login timeout. – Ricardo Marimon Jun 17 '09 at 14:35
  • Could it be because after logging in you are redirected to either https (port 443) or to the local (internal) ip address of the webserver? – Thomas Jun 17 '09 at 14:51
  • Another symptom. If I make my internal machine use the gateway machine to move traffic out, I can traceroute to www.google.com from 192.168.128.96 but I can't browse google because it just hangs waiting for a response. – Ricardo Marimon Jun 17 '09 at 15:02
  • As for the redirection, when I replicate this setup with a linksys wireless router (I'm desperate) using it as a port router it works. This is what is leading me to believe that there is something wrong with my setup script. – Ricardo Marimon Jun 17 '09 at 15:03
  • *if* you make your internal machine use the gateway machine [ as default gw]? You have to, or the DNAT won't work! – Thomas Jun 17 '09 at 18:12
0

I don't know what version of iptables you're running, but under v1.3.5, you need to have --to-destination instead of --to.

Kevin M
  • 2,302
  • 1
  • 16
  • 21
0

I think your last line should be

# masquerade
iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE

Note LAN, not WAN.

Neobyte
  • 3,177
  • 25
  • 29
  • The package needs to be "masqueraded" when it is going out on the wan... – rkthkr Jun 17 '09 at 13:28
  • No, it's all right if the web server sees the actual IPs and if there are public IPs on the internal network. But the remote computer on the public Internet needs to see the public IP, not a private one. – Kevin M Jun 17 '09 at 13:41
  • I guess you guys know better. :) – Neobyte Jun 17 '09 at 14:21
0

I'm normally setting this up with IPs instead of interfaces. Please try the following:

# port forwarding to local machine
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 80 -j DNAT --to 192.168.1.96

# masquerade
iptables -t nat -A POSTROUTING -s 192.168.1.96 -j MASQUERADE

and set the $EXT_IP of course.

etagenklo
  • 5,694
  • 1
  • 25
  • 31