iptables and port mapping

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables and port mapping
@ 2003-03-10  6:05 Mcminn, Matt 8869
  2003-03-10  7:57 ` Joel Newkirk
  0 siblings, 1 reply; 2+ messages in thread
From: Mcminn, Matt 8869 @ 2003-03-10  6:05 UTC (permalink / raw)
  To: netfilter

I'm trying to get port mapping working on a debian box I
just set up - I'm pretty new to iptables, but I managed to
get everything working except for port mapping with the
netfilter howtos.

What I want to do is map port 80 on the external interface
(eth0) to port 80 on my internal (eth1) 192.168.0.2 ip
address.  So what I thought would do this is:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
DNAT --to 192.168.0.2
iptables -I INPUT -d 192.168.0.0/32 -j ACCEPT

If I understand that correctly, when the new packet comes
in on port 80, first the dest address should be changed to
192.168.0.2 by the first rule, then it should hit the INPUT
chain, and hit the second rule, which would accept it and
send it on to be routed to my local machine.  And this
doesn't work.

Any ideas?  Here's my iptables -vL (before running the
previous rules):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target     prot opt in     out     source
             
destination
18137   16M block      all  --  any    any     anywhere
           
anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
             
destination
10303 5774K block      all  --  any    any     anywhere
           
anywhere

Chain OUTPUT (policy ACCEPT 11785 packets, 990K bytes)
 pkts bytes target     prot opt in     out     source
             
destination

Chain block (2 references)
 pkts bytes target     prot opt in     out     source
             
destination
26723   21M ACCEPT     all  --  any    any     anywhere
           
anywhere           state RELATED,ESTABLISHED
 1375  291K ACCEPT     all  --  !eth0  any     anywhere
           
anywhere           state NEW
  342  114K DROP       all  --  any    any     anywhere
           
anywhere

and iptables -vL -t nat:

Chain PREROUTING (policy ACCEPT 798 packets, 142K bytes)
 pkts bytes target     prot opt in     out     source
             
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
             
destination
  435 21613 MASQUERADE  all  --  any    eth0    anywhere
           
anywhere

Chain OUTPUT (policy ACCEPT 37 packets, 2379 bytes)
 pkts bytes target     prot opt in     out     source
             
destination

Thanks

Matt


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: iptables and port mapping
  2003-03-10  6:05 iptables and port mapping Mcminn, Matt 8869
@ 2003-03-10  7:57 ` Joel Newkirk
  0 siblings, 0 replies; 2+ messages in thread
From: Joel Newkirk @ 2003-03-10  7:57 UTC (permalink / raw)
  To: Mcminn, Matt 8869, netfilter

On Monday 10 March 2003 01:05 am, Mcminn, Matt 8869 wrote:

> What I want to do is map port 80 on the external interface
> (eth0) to port 80 on my internal (eth1) 192.168.0.2 ip
> address.  So what I thought would do this is:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
> DNAT --to 192.168.0.2
> iptables -I INPUT -d 192.168.0.0/32 -j ACCEPT

First part is right, second is wrong.  Once you DNAT it, it is no longer 
destined for the machine running iptables, so it goes to FORWARD chain, 
not INPUT chain.  (also you have problems with that rule's construction: 
using "-I" you should specify a rule number to insert before, like "-I 
INPUT 4" to make it the 4th rule, plus your /32 mask will only match 
that single IP...)  Just change your second rule to:

iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT

and the request will reach the local server.  Getting the reply traffic 
back out is a separate issue in FORWARD.  If you don't already have 
outbound traffic ACCEPTed, you'd need something like one of these:

iptables -A FORWARD -s 192.168.0.2 -p tcp --sport 80 -j ACCEPT
or
iptables -A FORWARD -s 192.168.0.2 -m state --state    \
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -m state --state    \
ESTABLISHED,RELATED -j ACCEPT

The second pair (using the state match) is preferable, since they will 
also allow ICMP traffic related to the HTTP connection.  If you already 
have connectivity from the local machines through this box to the 
internet then you probably don't need anything for outbound replies.  
Also, the state pair is subsumed in the more general rule:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

which is commonly used to allow those two states to pass the FORWARD 
chain in any direction.

j

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-03-10  7:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-10  6:05 iptables and port mapping Mcminn, Matt 8869
2003-03-10  7:57 ` Joel Newkirk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.