[lug:16487] iptables port forwarding

Mon, 07 Jun 2010 20:57:05 -0700 

I've been Googling about port forwarding iptables and even though there's
result and I've applied it in my script, I can't make iptables forwading
request to another machine so I decided to ask help.

eth0 is my Internet Interface (1.2.3.4 is the public ip)
eth1 is my Lan Interface
eth2 is my DMZ Interface

My Apache test server is 10.0.1.150. I've squid running so all my Lan will
be redirected to port 8080 on interface eth1. I block all ports for my lan
export http.

Below is my script:

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -i eth2 -j ACCEPT
$iptables -A INPUT -i eth2 -j ACCEPT
$iptables -A OUTPUT -o eth2 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j SNAT --to-source
1.2.3.4
$iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth2 -j MASQUERADE
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 0:79 -j REJECT
$iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 81:65535 -j REJECT
$iptables -I FORWARD -i eth1 -o eth2 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i
eth0 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 8080
$iptables -A INPUT -p tcp -i eth0 --dport 3500 -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
$iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150
--dport 80 -j ACCEPT
$iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT
--to-destination 10.0.1.150:80
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j
LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j
LOG --log-prefix "udp connection: "
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP

The relevant line here as far as I know is:

$iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150
--dport 80 -j ACCEPT
$iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT
--to-destination 10.0.1.150:80

I can telnet port 80 of 10.0.1.150 on the server. I can even view test page
using links on the server.

Can anyone tell me what's my mistake here. Linux newbie in iptables.

-- 
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to [email protected]
To unsubscribe, send email to [email protected]
For more options, visit our group at 
http://groups.google.com/group/linuxusersgroup

Reply via email to