Re: iptables and port mapping

[Joel Newkirk <netfilter@newkirk.us>]

On Monday 10 March 2003 01:05 am, Mcminn, Matt 8869 wrote:

> What I want to do is map port 80 on the external interface
> (eth0) to port 80 on my internal (eth1) 192.168.0.2 ip
> address.  So what I thought would do this is:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
> DNAT --to 192.168.0.2
> iptables -I INPUT -d 192.168.0.0/32 -j ACCEPT

First part is right, second is wrong.  Once you DNAT it, it is no longer 
destined for the machine running iptables, so it goes to FORWARD chain, 
not INPUT chain.  (also you have problems with that rule's construction: 
using "-I" you should specify a rule number to insert before, like "-I 
INPUT 4" to make it the 4th rule, plus your /32 mask will only match 
that single IP...)  Just change your second rule to:

iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT

and the request will reach the local server.  Getting the reply traffic 
back out is a separate issue in FORWARD.  If you don't already have 
outbound traffic ACCEPTed, you'd need something like one of these:

iptables -A FORWARD -s 192.168.0.2 -p tcp --sport 80 -j ACCEPT
or
iptables -A FORWARD -s 192.168.0.2 -m state --state    \
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -m state --state    \
ESTABLISHED,RELATED -j ACCEPT

The second pair (using the state match) is preferable, since they will 
also allow ICMP traffic related to the HTTP connection.  If you already 
have connectivity from the local machines through this box to the 
internet then you probably don't need anything for outbound replies.  
Also, the state pair is subsumed in the more general rule:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

which is commonly used to allow those two states to pass the FORWARD 
chain in any direction.

j