iptables - newbie fun with port forwarding

iptables - newbie fun with port forwarding

Post by Jaso » Tue, 19 Mar 2002 09:01:12



Hi!

I'm learning all about iptables these days. Very cool. Seems fairly
straightforward, however I'd really appreciate a confirmations
regarding my conclusion pertaining to forwarding of incoming traffic
to specified internal IPs, based on port. Also, I'd really appreciate
input regarding a few questions I have. Many, many thanks in advance!

============
Scenario #1:
============
I want all inbound traffic on port 80 to point to our internal
webserver. Assuming that my static external IP is 12.13.14.15, and
that the webserver IP is 192.168.1.103, is the following correct?

iptables -A PREROUTING -t nat -d 12.13.14.15 --dport 80 -j DNAT --to
192.168.1.103:80

Note that I did not include the protocol specification ("-p tcp "). Do
I need it?

============
Question #1:
============
How do I remap *all* internal traffic (from various workstations) to
an external address? The following should(?) work for mapping a single
address to an external address:

iptables -t nat -A POSTROUTING -s 192.168.1.101 -o eth0 -j SNAT --to
12.13.14.15

However I'm not sure how to map numerous addresses to this single
external address... Perhaps a subnet mask? Any input is much
appreciated. Basically, I'm using DHCP to dole out addresses as needed
throughout the network, and want NAT to handle all of them when they
attempt to access outside resources. More specifically, let's assume
that I'm assigning internal IPs using the IP range 192.168.1.107 -
192.168.1.199. How would I go about resolving the above question using
this range?

============
Question #2:
============
Any references to online resources regarding using iptables along with
MS Exchange? YES, I have already scoured all newsgroups and google,
but haven't yet found anything comprehensive. If no specific links,
I'd appreciate a few war stories or anecdote 'gotchas' that
individuals experienced with this matter might like to offer.

I appreciate any input!!!

Jason

 
 
 

iptables - newbie fun with port forwarding

Post by ken_yap_b49dae7a_.. » Tue, 19 Mar 2002 09:17:55


|I'm learning all about iptables these days. Very cool. Seems fairly
|straightforward, however I'd really appreciate a confirmations
|regarding my conclusion pertaining to forwarding of incoming traffic
|to specified internal IPs, based on port. Also, I'd really appreciate
|input regarding a few questions I have. Many, many thanks in advance!

I don't know if you know of this site, but this tutorial will answer
many of your questions and some you didn't realise you had. :-)

http://www.boingworld.com/workshops/linux/iptables-tutorial/iptables-...

 
 
 

iptables - newbie fun with port forwarding

Post by Erik Saart » Tue, 19 Mar 2002 19:25:37



> Hi!

> I'm learning all about iptables these days. Very cool. Seems fairly
> straightforward, however I'd really appreciate a confirmations
> regarding my conclusion pertaining to forwarding of incoming traffic
> to specified internal IPs, based on port. Also, I'd really appreciate
> input regarding a few questions I have. Many, many thanks in advance!

> ============
> Scenario #1:
> ============
> I want all inbound traffic on port 80 to point to our internal
> webserver. Assuming that my static external IP is 12.13.14.15, and
> that the webserver IP is 192.168.1.103, is the following correct?

> iptables -A PREROUTING -t nat -d 12.13.14.15 --dport 80 -j DNAT --to
> 192.168.1.103:80

> Note that I did not include the protocol specification ("-p tcp "). Do
> I need it?

Yes you do, --dport needs it.
If you are forwarding to the same port (80->80 in your case), you dont
need to specify it in --to xxx.
Note, you also need to allow that traffic in FORWARD chain.
(if default is not set to accept all)

- Show quoted text -

Quote:

> ============
> Question #1:
> ============
> How do I remap *all* internal traffic (from various workstations) to
> an external address? The following should(?) work for mapping a single
> address to an external address:

> iptables -t nat -A POSTROUTING -s 192.168.1.101 -o eth0 -j SNAT --to
> 12.13.14.15

> However I'm not sure how to map numerous addresses to this single
> external address... Perhaps a subnet mask? Any input is much
> appreciated. Basically, I'm using DHCP to dole out addresses as needed
> throughout the network, and want NAT to handle all of them when they
> attempt to access outside resources. More specifically, let's assume
> that I'm assigning internal IPs using the IP range 192.168.1.107 -
> 192.168.1.199. How would I go about resolving the above question using
> this range?

yes, subnet:
-s 192.168.1.0/24
another possibility is to define network in /etc/networks, for example
have a following line there:
internal
                192.168.10.0
and then you can use that name in -s.

Quote:

> ============
> Question #2:
> ============
> Any references to online resources regarding using iptables along with
> MS Exchange? YES, I have already scoured all newsgroups and google,
> but haven't yet found anything comprehensive. If no specific links,
> I'd appreciate a few war stories or anecdote 'gotchas' that
> individuals experienced with this matter might like to offer.

Cant help here

Quote:

> I appreciate any input!!!

> Jason

Erik
 
 
 

iptables - newbie fun with port forwarding

Post by Jaso » Wed, 20 Mar 2002 05:11:01


Hi,

Fantastic. Thanks for your help. Could somebody please elaborate upon
the following note, specifically the part that says that I need to
allow that traffic in the FORWARD chain? I want to initially deny all
traffic, and then work backwards from there.

Specifically, could somebody enlighten me as to the syntax regarding
how to set this forward chain? Yes, I already rtfm, just looking for a
specific syntactical case.

Quote:> Yes you do, --dport needs it.
> If you are forwarding to the same port (80->80 in your case), you dont
> need to specify it in --to xxx.
> Note, you also need to allow that traffic in FORWARD chain.
> (if default is not set to accept all)

Thanks!!!
jason
 
 
 

iptables - newbie fun with port forwarding

Post by Eric P. McC » Wed, 20 Mar 2002 05:15:55



> Specifically, could somebody enlighten me as to the syntax regarding
> how to set this forward chain? Yes, I already rtfm, just looking for a
> specific syntactical case.

Please put your reply below the quoted text, as I have done.

The other poster is talking about setting the chain policy, which is
done using `--policy' or `-P':

  # iptables [-t whatever] -P FORWARD ACCEPT

(The `-t' is in braces because I forget what table the FORWARD chain
is on; nat?)

He also notes that you only need to do this if the policy isn't
already ACCEPT, which I believe is not the default.

--

"I woke up this morning and realized what the game needed: pirates,
pimps, and gay furries."  - Rich "Lowtax" Kyanka

 
 
 

iptables - newbie fun with port forwarding

Post by Pravee » Wed, 20 Mar 2002 14:07:37


In my case, I have linux server acting as firewall/router and one of my
internal network m/c running MSN messenger application, unable to send
file/voice/video . I believe these applications use  6891 and 6900 ports.
How can I open these ports on my linux firewall using IPTABLES rules? Detail
information will be appreciated.

thanks
-praveen


Quote:> Hi!

> I'm learning all about iptables these days. Very cool. Seems fairly
> straightforward, however I'd really appreciate a confirmations
> regarding my conclusion pertaining to forwarding of incoming traffic
> to specified internal IPs, based on port. Also, I'd really appreciate
> input regarding a few questions I have. Many, many thanks in advance!

> ============
> Scenario #1:
> ============
> I want all inbound traffic on port 80 to point to our internal
> webserver. Assuming that my static external IP is 12.13.14.15, and
> that the webserver IP is 192.168.1.103, is the following correct?

> iptables -A PREROUTING -t nat -d 12.13.14.15 --dport 80 -j DNAT --to
> 192.168.1.103:80

> Note that I did not include the protocol specification ("-p tcp "). Do
> I need it?

> ============
> Question #1:
> ============
> How do I remap *all* internal traffic (from various workstations) to
> an external address? The following should(?) work for mapping a single
> address to an external address:

> iptables -t nat -A POSTROUTING -s 192.168.1.101 -o eth0 -j SNAT --to
> 12.13.14.15

> However I'm not sure how to map numerous addresses to this single
> external address... Perhaps a subnet mask? Any input is much
> appreciated. Basically, I'm using DHCP to dole out addresses as needed
> throughout the network, and want NAT to handle all of them when they
> attempt to access outside resources. More specifically, let's assume
> that I'm assigning internal IPs using the IP range 192.168.1.107 -
> 192.168.1.199. How would I go about resolving the above question using
> this range?

> ============
> Question #2:
> ============
> Any references to online resources regarding using iptables along with
> MS Exchange? YES, I have already scoured all newsgroups and google,
> but haven't yet found anything comprehensive. If no specific links,
> I'd appreciate a few war stories or anecdote 'gotchas' that
> individuals experienced with this matter might like to offer.

> I appreciate any input!!!

> Jason

 
 
 

1. IPTables and a simple script to port forward port 80

Hey there,

Well, I stayed up later than I'd like to admit last night trying to get
port forwarding to work.  All I want the linux box to do is forward port
80 (web traffic of course...) from the external interface to a box on
the inside interface's LAN.

For troubleshooting, I've stripped out all of my SNAT config, set the
policies to ACCEPT for every chain, and used the following:

iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to
10.0.0.11:80

where 1.2.3.4 is the outside address and 10.0.0.11 is the inside
address.

When I go to 1.2.3.4 with a webbrowser from another server on the
outside, and then do "ipchains -t nat -L -v" I can see that the packet
hit the rule, but the webbrowser times out.  From there, I have no idea
where the packet is getting lost.  At this point, I'm not trying to be
secure, I'm just trying to get the damn thing to work. ;-)  I can make
it secure later... (crawl before you walk, etc)

Any help will be much appreciated, as I've already spent more time on
this than I would have liked to (doesn't it always seem that way?).  If
you have port 80 forwarding--or any port for that matter--working and
could send me your script, I'd appreciate that also.

Thanks,
Kevin

2. X windows startup

3. Fun fun fun! :)

4. ncpfs doesn't compile

5. fun, fun fun

6. adabas fails after upgrade to AIX 4.3.3

7. KIllustrator: fun, fun, fun.

8. Can't get my P&P cards to work

9. Port Forwarding iptables internal traffic

10. iptables port forwarding

11. port forwarding with iptables

12. Port forwarding with iptables not working

13. iptables smtp port forwarding problem