Iptables port forwarding

[Eugene Joubert]

Title: Iptables port forwarding

Hi,

I am still new to iptables and have a problem doing port forwarding from external to internal.
My scenario is as follows:

I want to port forward any traffic on port 80 and 25 to their respective servers behind the firewall.

I used this:
Ps I have omitted my Ip addresses for obvious reasons,
Hope you can help

#!/bin/sh

#/usr/sbin/firewall.sh

###Flushing###
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

###Default policies###
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

###Loading Iptables###
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

###not to sure what this does###
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###Enable NAT/MASQUERADING and IPforwarding###
iptables -t nat -A POSTROUTING -s intip -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

###Disable response to ping###working
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

###Tranparent proxy###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128

###Disable ICMP redirect acceptance###
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

###Disable response to broadcasts###
echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

###Don't accept source routed packets###
echo "0" /proc/sys/net/ipv4/conf/all/accept_source_route

###Enable bad error message protection###
echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

###Log spoofed packets, source routed packets, redirect packets###
echo "1" /proc/sys/net/ipv4/conf/all/log_martians

###INPUT Policies###
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 79 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 79 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 23 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 23 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 22 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 22 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 21 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 21 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 20 -j DROP

###Block e-mail password sender###
iptables -A OUTPUT -p udp -o eth0 -s 0/0 --dport 25 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 25 -j DROP

###Deny spoofed IPs###
iptables -A INPUT -i etho -s intip -j DROP

###Port Forwarding###
iptables -t nat -A PREROUTING -p tcp -d extip --dport 25 -j DNAT --to intip:port
iptables -A FORWARD -i eth0 -p tcp -d intip --dport 25 -j ACCEPT

###Allow all connections on the loopback device###
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT