[Cialug] iptables restart?

[Zachary Kotlarek]

On Dec 14, 2011, at 1:20 PM, L. V. Lammert wrote:

> TFTR! The rule:
> 
> $IPTABLES -A FORWARD -p TCP -i $EXTIF -d $MSTS1 --dport 80 -o $INTIF -j
> ACCEPT
> 
> *Appears* to be interpreted correctly:
> 
> ACCEPT  tcp opt -- in eth1 out eth0  0.0.0.0/0  -> 10.0.0.100  tcp dpt:80
> 

> BUT there is no port open in netstat and the port forward dnw. Is there
> anything simple I'm missing? I don't use iptables a lot, ..



First, forwarded ports do not show up in netstat as there is no process bound to the port. All iptables processing happens in the kernel.

Second, that rule isn't port forwarding. It accepts traffic that appears on the eth0 interface and is headed for another host at 10.0.0.100:80; it does nothing to change the destination of the packets it matches. If you're using the port forwarding box as a firewall you might *also* need that rule, but it's not the bit that does port forwarding.

You need a DNAT rule in the PREROUTING chain of the NAT table. Probably something like:
		iptables --table nat \
		--append PREROUTING \
		--in-interface $EXTIF \
		--protocol tcp --destination-port http \
		--jump DNAT --to $MSTS1

That rule forwards all traffic that appears on the $EXTIF network interface, with protocol TCP and port 80, to the same protocol and port on the host at IP address $MSTS1. It also automatically undoes that network translation for related outbound packets, so long as they pass through the same router.

The --to argument also accepts a port number. For example, if your internal host listened on port 8080 you'd use this:
	--to $MSTS1:8080

There are a bunch of other options you can specify if you need a more specific match, but typically the above rule is sufficient.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20111214/d6c0624c/attachment.bin>