Properly portforwarding the external IP with iptables

3

I am trying to forward all the incoming internet/LAN requests on port 80 to my local machine (running Apache), current iptables work (forward incoming internet traffic to my desktop, but if I try to access it from my local network it won't work.

Interface connecting my Ubuntu server to the internet is ppp0 (dialed DSL connection through my router that is in bridge mode) which is connected to the eth0 and eth1 is connected to my internal LAN.

iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o ppp0 -j MASQUERADE
iptables -A INPUT -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#port forwarding
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80
iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT

also tested with

iptables -t nat -A PREROUTING -i lo -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80

no luck there eather

what i was able to gather so far (via logs), is that accessing external server ip directly from the LAN goes directly to eth1 which is understandable (i think).

So what i need now (i guess) is an rule that will forward the LAN traffic on eth1 without interfering with the ppp0 prerouting rule (as forwarding all the incoming traffic on eth1 to my local machine will break the internet connection)

Stef

Posted 2011-07-02T13:30:53.890

Reputation: 75

It's is a bit difficult to follow your problem description. You have an ubuntu server connected to the router? And you wish to use iptables to only forward incoming connections to port 80? – bbaja42 – 2011-07-02T14:53:20.760

yea, pretty much, the "basic" port forwarding works (incoming internet traffic on 80 port is getting forwarded properly) but, when i want type in my external ip into the browser, connection wont be forwarded and i will just see the error screen – Stef – 2011-07-02T15:04:27.543

Idea 1: try accessing your external IP through proxy . Idea 2: include logging in the iptables

– bbaja42 – 2011-07-02T15:17:08.260

good idea with the proxy, well as i stated above, the traffic gets forwarded properly (i can see my apache website with proxy), but i simply cant access it via my external ip, the problem must be in my iptables port forwarding (in the code braces above) :( – Stef – 2011-07-02T18:48:45.720

Could it be, when you are accessing external IP, you are actually using the loopback interface. So adding lo to the port forwarding might solve the issue. – bbaja42 – 2011-07-02T19:10:10.850

i tried adding iptables -t nat -A PREROUTING -i lo -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80 if thats what you ment, no luck there, its interesting because i would thought by at least typing 192.168.2.1 (which is local server ip) it should get forwarded, yet still nothing :( – Stef – 2011-07-02T22:22:30.317

Answers

1

I think you are missing SNAT. Without SNAT the source IP points to the computer on the local network and return packets are directed directly to source computer which discards them as invalid. With external computers this is not a problem as the NAT often is set up on the default gateway computer.

Try adding

iptables -t nat -A POSTROUTING -d 192.168.2.2 --dport 80 -j SNAT

Antti Rytsölä

Posted 2011-07-02T13:30:53.890

Reputation: 329

that iptable rule doesn't get in, you sure you can use -d and --dport in postrouting table ? – Stef – 2011-07-08T12:16:50.650

I would say this rule modifies all packets going to 192.168.2.2 to port 80 to set their source address to our interface IP. When they come back the original source IP is automatically reverted. – Antti Rytsölä – 2011-07-08T13:08:27.860

What is also a bit difficult to say if this "browser" or "local network" is this linux router, the webserver machine or third machine on the same network, e.g. 192.168.2.3. – Antti Rytsölä – 2011-07-08T13:12:35.373

#port forwarding iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80 iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT These specify incoming interface as ppp0. This is not the case with connection coming from local network eth1. If you wish to connect to router IP 192.168.2.1 add

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.2.2:80 – Antti Rytsölä – 2011-07-08T13:13:44.780

ok, i finally managed to find some time to try the last set of iptables

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.2.2:80

this doesn't work (according to iptables -t nat -L -v packets get changed, so the rule actually "works"), but i still get only error in my web browser :( – Stef – 2011-07-09T17:12:30.417

And you added the SNAT ? – Antti Rytsölä – 2011-07-11T08:10:00.633

nope, because i dont really know how should this rule looks like, should i use my desktop ip (192.168.2.2) as --to-source ? i am getting little lost in here :s – Stef – 2011-07-13T09:41:33.410

tried with the

iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to-source 192.168.2.2:80

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.2.2:80

both rules does apply (accordging to iptables -t nat -L -v) but it still doesnt work :( – Stef – 2011-07-13T15:26:22.340

Asked: 2011-07-02T13:30:53.890

Viewed: 3 617 times

Active: 2011-07-07T09:29:17.790