Thanks for your help!
I used these rules:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport $PORT -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport $PORT -d $EXTIP
-j DNAT --to-destination $PORTFWIP
$IPTABLES -t nat -A POSTROUTING -o $INTIF -p tcp --dport $PORT -d
$PORTFWIP -j SNAT --to-source $INTIP
and they seem to work just fine from an external network. I can't see my
internal Web sites from a machine on my internal network, however. I have a
couple of rules that when used by themselves seem to work. They are as
follows:
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -s 192.168.2.0/24 -d
$EXTIP --dport 80 -j DNAT --to $INTIP:80
$IPTABLES -t nat -A POSTROUTING -o $INTIF -p tcp -s 192.168.2.0/24 -d
$INTIP --dport 80 -j SNAT to $GATEWAYIP
where EXTIP is the internet ip on the firewall, INTIP is the Web server ip,
and GATEWAY is the firewall internal ip address.
I don't know if the problem is from the order that I am running the rules or
if my rules are wrong.
Thanks for all of your help. I greatly appreciate it!
Travis Crook
Visions Beyond
----- Original Message -----
From: "Omar Castaneda Acosta" <[EMAIL PROTECTED]>
To: "Travis Crook" <[EMAIL PROTECTED]>
Sent: Monday, May 20, 2002 3:59 PM
Subject: RE: port forwarding in iptables
Hello, I just had the same problem that you're experiencing, took me
weeks to realize what I was doing wrong. (Maybe I'm wrong and this
solution doesn't apply to you). If you're using a common script, and
the default gateway on the destination host you are forwarding a port to
is not the MASQ machine (the firewall) it won't work!!!. What you need
either:
1. Change the default gateway on the destination host so it fits your
firewall.
2. Instead of the typical PORTFW commands:
PORTFWIP="192.168.0.10"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to
$PORTFWIP:80
do this:
PORT=110
PORTFWIP="192.168.0.10"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport $PORT -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport $PORT -d $EXTIP
-j DNAT --to-destination $PORTFWIP
$IPTABLES -t nat -A POSTROUTING -o $INTIF -p tcp --dport $PORT -d
$PORTFWIP -j SNAT --to-source $INTIP
Hope it works!
-- Omar
-----Original Message-----
From: Travis Crook [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 20, 2002 3:42 PM
To: [EMAIL PROTECTED]
Subject: port forwarding in iptables
Hello,
I hope I am not asking an already asked question but I can't seem to
find the answer in the archives.
I am trying to forward all port 80 traffic from my firewall to my
internal web server (192.168.2.5). My firewall script seems to be
working okay (it can be seen at
http://orbital.wiretapped.net/~technion/iptables). I have modified it
to fit my numbers, etc. My internal nic is eth1 and my external nic is
eth0. The internal web server that I am running has a connection to
the internet through the firewall plus it has an external connection of
its own (2 nics, one connected to the LAN the other connected to the
internet - separate from the firewall connection). I have several Web
sites running on it. Most are talking through the external connection
but one is set up on the internal connection. I can't seem to get
connections established to the internal address on the Web server when I
make a request to it through the firewall. I can connect to it when I
type the ip address in from the internal network. I have tried using a
computer behind the firewall, the Web server itself, and a dial-up
connection from my house to access the internal Web site but I cannot
connect. The reason I am attempting to do this is because I am in
the process of switching access lines to the internet (from a shared T1
to a dedicated DSL). Any help would be greatly appreciated!
Travis Crook
Visions Beyond
