I've http and https traffic coming from several machines to my eth0 on my Linux machine, but I want to forward these traffic to eth1 which has the access to the internet. And do the complimentary operation of traffic coming from 80 and 443 to be routed from eth1 to eth0 so that they reach the machines that created the web requests.

I've tried the following iptables commands, but it didn't help:

iptables -A FORWARD -p tcp --dport 80 -o eth1 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -o eth0 -j ACCEPT

I'm not sure how to go about this.


Output of ip addr show

$ /sbin/ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether <mac_address_of_eth0> brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether <mac_address_of_eth1> brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth1
  • If you just want to use it as a filter and your webserver has a public IP already, you might consider setting up a bridge between those two nics instead of relying on NAT. – jishi Oct 15 '12 at 10:42

2 Answers2


First of, this is a very similar question to iptables forwarding between two interface.

That being said, you want your host to become a gateway, but more specific, only to protocols HTTP and HTTPS (80 / 443). To achieve this, you should:

  1. Be able to forward traffic between this two interfaces
  2. Forward packets with destination port 80 (HTTP)
  3. Forward packets with destination port 443 (HTTPS)
  4. As iptables (netfilter) is a stateless packet filtering system, accept packets that are comming back
  5. Source NAT (change the originating IP address) to your host's IP

Translated to iptables:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80  -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED \
   -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Provided the other hosts on your network are using your host to reach internet (meaning your linux box behaves as a gateway).

  • Hi @Torian: Thanks for the answer. I just tried this, and it still seems to be going through eth0. tcpdump on eth1 captures no packets, and tcpdump on eth0 shows traffic with source (and destination of returning packets) as the IP address of eth0. The browser traffic is sent from my desktop through an SSH tunnel (using PuTTY) to this Linux machine. Would that make any difference to this? – Srikanth Oct 15 '12 at 11:05
  • Just for completness, add `ip addr show`. Something I should have asked: Is you linux box the default gateway for this other machines ? Are the requests destined to `your` host ? – Torian Oct 15 '12 at 11:26
  • I've added the `ip addr show` result to my question. As for the Linux box being the default gateway for the other machines: no, it's not; the requests are coming through the ssh tunnel. – Srikanth Oct 15 '12 at 12:07
  • This is the key piece of information that you missed. Then the answer does not apply... An ssh tunnel only allows you to got out somewhere specific: "80:destination_ip:80". There might be another way using ProxyCommand on the remote hosts, but I have to give it a little bit of thinking. – Torian Oct 15 '12 at 12:21

Assuming eth1 has a public internet address it sounds like you want your Linux box to become a router, probably with NAT/Masquerade functionality. See http://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux for one of many examples.

The IPtables you have given simply allow HTTP traffic to be forwarded through your Linux box should they arrive but you will need to make sure your clients use your Linux box as a gateway to make this happen.

