there is something called ipmasqadm it's an rpm i am currently using it to redirect port 3306 (mysql) to an internal server with non-routable IP , i am doing it on SuSE linux , i am using ipchains :) but i think you can do it with iptables should be a breeze
this is my current rule for redirecting #Mysql redirect /usr/sbin/ipmasqadm portfw -a -P tcp -L <routable_ip> 3306 -R <non_routable_ip> 3306 and thats all :) Ziggy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Adamson Sent: Wednesday, March 27, 2002 6:52 AM To: [EMAIL PROTECTED] Subject: Trying to forward port 80 to an internal server I have been trying to forward port 80 requests to a second machine, the firewall machine runs Redhat 7.2, with the default kernel which I think is 2.4.10. It contains two network interfaces, eth0 which is assigned a routable internet address, and eth1 which is assigned an internal non-routable address. I have confirmed that the firewall is accepting port 80 requests on the external interface, as I can successfully run Apache on it without any the firewall running. After the iptables script has been executed port 80 request are not returned at all indicating that the request went somewhere. Could someone please assist, as I have read the howtos, manuals and Robert Zielgler's latest edition of 'Linux Firewalls', but I'm getting nowhere. I have included the entire script below, any assistance would be greatly appreciated. Thanks, Scott #!/bin/sh IPTABLES="iptables" #Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using iptables # # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # #/sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to play # Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO ive video conferencing software # #/modprobe ip_masq_vdolive #/sbin/modprobe ip_conntrack # /sbin/modprobe ip_tables #/sbin/modprobe iptable_filter #/sbin/modprobe iptable_mangle #/sbin/modprobe iptable_nat #/sbin/modprobe ipt_LOG #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following # option. This enables dynamic-ip address hacking in IP MASQ, making the life # with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # #$IPTABLES -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced # the name of the link that the DHCP/BOOTP server will put an address on to? # This will be something like "eth0", "eth1", etc. # # This example is currently commented out. # # #/usr/sbin/iptables -A INPUT -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the 192.168.0.x # network with a 255.255.255.0 or a "24" bit subnet mask. # # Please change this network number and subnet mask to match your internal LAN setup # #symbolics EXTERNAL_INTERFACE="eth0" INTERNAL_INTERFACE="eth1" LOOPBACK_INTERFACE="Io" IPADDR="203.89.239.135" IPADDR_INT="192.168.0.81" ANYWHERE="any/0" LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" echo "starting firewall" #Flush existing rules $IPTABLES -F $IPTABLES -t filter -F $IPTABLES -t nat -F $IPTABLES -t filter -X $IPTABLES -t nat -X ############################################################################ ##### # Default chains section # ############################################################################ ##### #Allow all, then selective allows then drop everything else $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT #echo "Enabling PORTFW Redirection on the external LAN.." # # This will forward ALL port 80 traffic from the external IP address # to port 80 on the 192.168.0.60 machine # # PORTFWIP="192.168.0.60" $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp --sport 1024:65535 -d $IPADDR --dport 80 -j DNAT --to-destination $PORTFWIP $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp --sport 1024:65535 -d $PORTFWIP --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
