port forwarding won't work... :-(

Corin Langosch Wed, 20 Mar 2002 03:24:53 -0800

Hi,
 
i'm trying to setup port-forwarding on my server using iptables.
(iptables v1.2.1a, kernel version 2.4.16-4GB, suse 7.2)
Unuckily it doesn't work. :-(
I want that all connections arriving at the server at port 4047 get forwareded
to 192.168.1.3:4047. Some connections will get to the server over eth0, some
will get there over ppp0, but in general it should work for all packets arriving
no matter what interface.


My current firewall script looks like:
--------------
#!/bin/sh
 
IPTABLES=/usr/sbin/iptables
 
# alle erforderlichen module laden
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
        
# alles zur�cksetzten
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
 
# adjust max packet size because of routing
$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu
 
# masquerade all packets
$IPTABLES -t nat -A POSTROUTING -o "ppp+" -j MASQUERADE
 
# allow ssh connections from everywhere
$IPTABLES -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
 
# allow chat connections from everywhere
$IPTABLES -A INPUT -p tcp --syn --destination-port 6666 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn --destination-port 6667 -j ACCEPT
 
# allow ftp connections from everywhere
$IPTABLES -A INPUT -p tcp --syn --destination-port 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn --destination-port 21 -j ACCEPT
 
# allow smtp connections from everywhere
$IPTABLES -A INPUT -p tcp --syn --destination-port 25 -j ACCEPT
 
# allow pop3 connections from everywhere
$IPTABLES -A INPUT -p tcp --syn --destination-port 110 -j ACCEPT
 
# allow squid access from local network
$IPTABLES -A INPUT -p tcp --syn -s 192.168.0.0/16 --destination-port 3128 -j 
ACCEPT
 
# Kill malformed packets
 
# Block XMAS packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL ALL  -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL  -j DROP
 
# Block NULL packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
 
# allow samba access from local network
$IPTABLES -A INPUT -p tcp --syn -s 192.168.0.0/16 --destination-port 139 -j 
ACCEPT
 
# allow httpd connects from everywhere
$IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
 
# allow ssl-httpd connects from everywhere
$IPTABLES -A INPUT -p tcp --syn --destination-port 443 -j ACCEPT
 
# allow misc connections from everywhere (for active ftp for example..)
$IPTABLES -A INPUT -p tcp --syn --destination-port 10000:65535 -j ACCEPT
 
# port redirect for web-beamer
#$IPTABLES -A INPUT -p tcp --syn --destination-port 4047 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp --dport 4047 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 4047 -j DNAT --to 192.168.1.3:4047
        
# allow access from localhost to everything
$IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 192.168.0.1 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 192.168.1.1 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 192.168.2.1 -j ACCEPT
 
# block everything else
$IPTABLES -A INPUT -p tcp --syn -j DROP
 
# log access violations
#$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 
--log-prefix "IPTABLES: "
--------------
The server has the ip 192.168.1.1.
The tricky part is the one with web-beamer. (on 192.168.1.3:4047)

Thanks a lot for any help,
Corin

port forwarding won't work... :-(

Reply via email to