Port forwarding question

Port forwarding question

[Dimitri Yioulos]

Hi, folks.

Noob, question:

I want to allow a vendor to access a piece of equipment on our LAN  
(192.168.100.46) through port 4000 from outside via a server in our 
DMZ (www.xxx.yyy.zzz).  While I should know how to do this, I'm not 
100% sure.  Can someone help?

Oh, and separately, how would I allow that access only through the 
vendor's ip address, if that were the way I decided to go?

Thanks.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Port forwarding question

[Martijn Lievaart]

Dimitri Yioulos wrote:

>Hi, folks.
>
>Noob, question:
>
>I want to allow a vendor to access a piece of equipment on our LAN  
>(192.168.100.46) through port 4000 from outside via a server in our 
>DMZ (www.xxx.yyy.zzz).  While I should know how to do this, I'm not 
>100% sure.  Can someone help?
>  
>

In PREROUTING do a DNAT rule, in FORWARD allow traffic to 192.168.100.46.

>Oh, and separately, how would I allow that access only through the 
>vendor's ip address, if that were the way I decided to go?
>  
>

Add -s $VENDOR_IP to both rules.

HTH,
M4

Re: Port forwarding question

[Mr Ritter]

Greetings,

Dimitri Yioulos wrote:
> Noob, question:
> 
> I want to allow a vendor to access a piece of equipment on our LAN  
> (192.168.100.46) through port 4000 from outside via a server in our 
> DMZ (www.xxx.yyy.zzz).  While I should know how to do this, I'm not 
> 100% sure.  Can someone help?

DNAT.

for example:
iptables -t nat -A PREROUTING -d www.xxx.yyy.zzz -i eth1 -p tcp --dport 
4000 -j
DNAT --to 192.168.100.46
iptables -t filter -A INETIN -d 192.168.100.46 -p tcp --dport 4000 -j ACCEPT


> Oh, and separately, how would I allow that access only through the 
> vendor's ip address, if that were the way I decided to go?

for example:
iptables -t nat -A PREROUTING -s 1.2.3.4 -d www.xxx.yyy.zzz -i eth1 -p 
tcp --dport 4000 -j DNAT --to 192.168.100.46


Regards,

--
Ritter

Re: Port forwarding question

[Mr. Ritter]

Mr Ritter wrote:
> iptables -t filter -A INETIN -d 192.168.100.46 -p tcp --dport 4000 -j
> ACCEPT

Doh!  INETIN is one of my tables, meant to say:
iptables -t filter -A FORWARD -d 192.168.100.46 -p tcp --dport 4000 -j
ACCEPT

Re: Port forwarding question

[Dimitri Yioulos]

On Thursday September 21 2006 4:25 pm, you wrote:
> Greetings,
>
> Dimitri Yioulos wrote:
> > Noob, question:
> >
> > I want to allow a vendor to access a piece of equipment on our
> > LAN (192.168.100.46) through port 4000 from outside via a server
> > in our DMZ (www.xxx.yyy.zzz).  While I should know how to do
> > this, I'm not 100% sure.  Can someone help?
>
> DNAT.
>
> for example:
> iptables -t nat -A PREROUTING -d www.xxx.yyy.zzz -i eth1 -p tcp
> --dport 4000 -j
> DNAT --to 192.168.100.46

eth1 being the DMZ iface?

> iptables -t filter -A INETIN -d 192.168.100.46 -p tcp --dport 4000
> -j ACCEPT
>
> > Oh, and separately, how would I allow that access only through
> > the vendor's ip address, if that were the way I decided to go?
>
> for example:
> iptables -t nat -A PREROUTING -s 1.2.3.4 -d www.xxx.yyy.zzz -i eth1
> -p tcp --dport 4000 -j DNAT --to 192.168.100.46
>
>
> Regards,
>
> --
> Ritter

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Port forwarding question

[Martijn Lievaart]

Dimitri Yioulos wrote:

>On Thursday September 21 2006 4:25 pm, you wrote:
>  
>
>>Greetings,
>>
>>Dimitri Yioulos wrote:
>>    
>>
>>>Noob, question:
>>>
>>>I want to allow a vendor to access a piece of equipment on our
>>>LAN (192.168.100.46) through port 4000 from outside via a server
>>>in our DMZ (www.xxx.yyy.zzz).  While I should know how to do
>>>this, I'm not 100% sure.  Can someone help?
>>>      
>>>
>>DNAT.
>>
>>for example:
>>iptables -t nat -A PREROUTING -d www.xxx.yyy.zzz -i eth1 -p tcp
>>--dport 4000 -j
>>DNAT --to 192.168.100.46
>>    
>>
>
>eth1 being the DMZ iface?
>  
>

No, your Internet interface.

This rule says: if destination is www.xxx.yyy.zzz and it comes in 
through eth1 and it's tcp and it's on port 4000, then DNAT to the 
internal server. Obviously, if the packet comes from the vendor, it must 
come from the Internet, so the interface in -i must be your Internet 
interface.

You could leave this out, but that opens up all kind of nastiness if you 
access this port on www.xxx.yyy.zzz from your DMZ (the return packets 
will go straight to your client in the DMZ, will not go through your 
firwall so will not be de-DNATted. Your client will get confused as it 
gets packets from somewhere it's not expecting them. In short, it will 
not work). You could replace that -i with "! -i $DMZ_IF", meaning if it 
comes in from any interface but the DMZ interface. Then you can access 
it from any interface (read your internal interface) other than your DMZ 
interface.

HTH,
M4

Re: Port forwarding question

[Dimitri Yioulos]

On Thursday September 21 2006 5:14 pm, you wrote:
> Dimitri Yioulos wrote:
> >On Thursday September 21 2006 4:25 pm, you wrote:
> >>Greetings,
> >>
> >>Dimitri Yioulos wrote:
> >>>Noob, question:
> >>>
> >>>I want to allow a vendor to access a piece of equipment on our
> >>>LAN (192.168.100.46) through port 4000 from outside via a server
> >>>in our DMZ (www.xxx.yyy.zzz).  While I should know how to do
> >>>this, I'm not 100% sure.  Can someone help?
> >>
> >>DNAT.
> >>
> >>for example:
> >>iptables -t nat -A PREROUTING -d www.xxx.yyy.zzz -i eth1 -p tcp
> >>--dport 4000 -j
> >>DNAT --to 192.168.100.46
> >
> >eth1 being the DMZ iface?
>
> No, your Internet interface.
>
> This rule says: if destination is www.xxx.yyy.zzz and it comes in
> through eth1 and it's tcp and it's on port 4000, then DNAT to the
> internal server. Obviously, if the packet comes from the vendor, it
> must come from the Internet, so the interface in -i must be your
> Internet interface.
>
> You could leave this out, but that opens up all kind of nastiness
> if you access this port on www.xxx.yyy.zzz from your DMZ (the
> return packets will go straight to your client in the DMZ, will not
> go through your firwall so will not be de-DNATted. Your client will
> get confused as it gets packets from somewhere it's not expecting
> them. In short, it will not work). You could replace that -i with
> "! -i $DMZ_IF", meaning if it comes in from any interface but the
> DMZ interface. Then you can access it from any interface (read your
> internal interface) other than your DMZ interface.
>
> HTH,
> M4

Stupid me.  Of course it's the inet interface.  And, I appreciate the 
explanation.

Many, many thanks to all for you help!

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Port forwarding question

[David]

Hi all - first post, should be a simple question but google and the docs are not
helping

I want to forward port 10000 from internal hosts to the internet and it works with:

iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -j DNAT --to 192.168.0.2

for the host with ip 192.168.0.2, but how do I forward it for a range of hosts,
ie 192.168.0.2-192.168.0.254

I try

iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -j DNAT --to
192.168.0.2-192.168.0.254

but it does not work for any other hosts

iptables -L -v -t nat
gives the range, but does not actually forward the port in any apps
tcp dpt:10000 to:192.168.0.2-192.168.0.254

How do I forward the range of ports?
TIA,
David

==============================================
Running gentoo 2.16.18.4, iptables 1.3.5

Re: Port forwarding question

[Elvir Kuric]

Hi all,
maybe you can try this
 iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -m iprange
--dst-range 192.168.0.2-192.168.0.254 -j DNAT --to-destination
192.168.0.2-192.168..254

or check
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#IPRANGEMATCH

Regards

Elvir Kuric



On 4/30/07, David <shadoweyez@gmail.com> wrote:
> Hi all - first post, should be a simple question but google and the docs are not
> helping
>
> I want to forward port 10000 from internal hosts to the internet and it works with:
>
> iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -j DNAT --to 192.168.0.2
>
> for the host with ip 192.168.0.2, but how do I forward it for a range of hosts,
> ie 192.168.0.2-192.168.0.254
>
> I try
>
> iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -j DNAT --to
> 192.168.0.2-192.168.0.254
>
> but it does not work for any other hosts
>
> iptables -L -v -t nat
> gives the range, but does not actually forward the port in any apps
> tcp dpt:10000 to:192.168.0.2-192.168.0.254
>
> How do I forward the range of ports?
> TIA,
> David
>
> ==============================================
> Running gentoo 2.16.18.4, iptables 1.3.5
>
>

port forwarding question

[Phil Sutter]

Hi,

We have been using commands like the following to forward a single port
on our Linux systems and it works fine:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080 -j DNAT --to
192.168.1.10:80

I am now trying to find a method for port forwarding a range of ports.
For instance, forwarding port 5080 - 5084 to ports 80 - 84 so that:
- port 5080 traffic ends up on port 80
- port 5081 traffic ends up on port 81
- port 5082 traffic ends up on port 82
- port 5083 traffic ends up on port 83
- port 5084 traffic ends up on port 84

I thought I could do the following but it does not work:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080:5085 -j DNAT
--to 192.168.1.10:80-85

Is there a way to do what I want to do with a single command or do I
have to forward each port with an individual command?

Thanks,

Phil Sutter

Re: port forwarding question

[Jan Engelhardt]

On Mar 17 2008 09:26, Phil Sutter wrote:
>
>I thought I could do the following but it does not work:
>
>iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080:5085 -j DNAT
>--to 192.168.1.10:80-85
>
>Is there a way to do what I want to do with a single command or do I
>have to forward each port with an individual command?

To do it with a single rule requires your own target extension.

:80-85 just tells it to choose any one of it.

Re: port forwarding question

[Cloves Pereira Costa Jr]

Em Seg, 2008-03-17 às 19:13 +0100, Jan Engelhardt escreveu:
> On Mar 17 2008 09:26, Phil Sutter wrote:
> >
> >I thought I could do the following but it does not work:
> >
> >iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080:5085 -j DNAT
> >--to 192.168.1.10:80-85
> >
> >Is there a way to do what I want to do with a single command or do I
> >have to forward each port with an individual command?
> 
> To do it with a single rule requires your own target extension.
> 
> :80-85 just tells it to choose any one of it.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

AFAIK, don't exist any single command to do that... What exists, is
NETMAP target that DNAT/SNAT every single address in two ranges. 
i.e: "iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j NETMAP --to
10.5.6.0/24"

If anyone knows any command that do this, I'll be pleased to know too...
If don't, this is a good feature to implement in futures versions of
IPTables.

[]s

Cloves

Re: port forwarding question

[Andrew Schulman]

> > >I thought I could do the following but it does not work:
> > >
> > >iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080:5085 -j DNAT
> > >--to 192.168.1.10:80-85
> > >
> > >Is there a way to do what I want to do with a single command or do I
> > >have to forward each port with an individual command?
> > 
> > To do it with a single rule requires your own target extension.
> > 
> > :80-85 just tells it to choose any one of it.
> 
> AFAIK, don't exist any single command to do that... What exists, is
> NETMAP target that DNAT/SNAT every single address in two ranges. 
> i.e: "iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j NETMAP --to
> 10.5.6.0/24"
> 
> If anyone knows any command that do this, I'll be pleased to know too...
> If don't, this is a good feature to implement in futures versions of
> IPTables.

It doesn't seem like a high priority for iptables, since the same thing can
easily and more flexibly be accomplished with some bash scripting:

for (( i=80 ; i<=85 ; ++i ))
do
  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport $(( 5000+i )) \
    -j DNAT --to 192.168.1.10:$i
done

Yes, that is 6 iptables rules, but the performance difference is probably
negligible, it's simple to code, and it's totally customizable to the user's
needs.  A specially written iptables target, OTOH, would require a whole
separate kernel module just to cover this one fairly unusual transformation.

Andrew.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: port forwarding question

[Jan Engelhardt]

On Mar 17 2008 16:01, Andrew Schulman wrote:
> It doesn't seem like a high priority for iptables, since the same thing can
> easily and more flexibly be accomplished with some bash scripting:
>
> for (( i=80 ; i<=85 ; ++i ))
> do
>  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport $(( 5000+i )) \
>    -j DNAT --to 192.168.1.10:$i
> done
>
> Yes, that is 6 iptables rules, but the performance difference is probably
> negligible, it's simple to code, and it's totally customizable to the user's
> needs.  A specially written iptables target, OTOH, would require a whole
> separate kernel module just to cover this one fairly unusual transformation.


 	iptables -p tcp --dport A:B -j DNAT --to xxx:C-D

And you would _also_ have to deal with cases where amount of(A..B)
and amount of(C..D) are not the same. No, it would be too troublesome.

Port Forwarding Question

[Aaron Clausen]

I'm in the process of replacing a crappy old 3Com router.  I did a
test run last night with the new Linux router last night, but there is
one issue that I can't quite get my head around.  On the old 3Com, a
user inside the internal NATed network, when he accesses a forwarded
port, can contact the internal device in question.  For instance, I
have a web server on the internal network with port 80 forwarded to
it.  With the 3Com router, I can, from another internal computer,
access that server via the external interface (ie, by going
http://publicaddress).  When I throw in my Linux router, it does not
do that, and user's have to use the internal IP or host name to access
the device.

Now, if need be, I'll just toss in Bind 9 views, so that internal
users get fed the internal IP, but is there a way to do this under
iptables (I'm assuming there is, as I'm fairly certain the old 3Com
router is running a version of iptables)?

-- 
Aaron Clausen
mightymartianca@gmail.com

Re: Port Forwarding Question

[Michele Petrazzo - Unipex]

Aaron Clausen wrote:
>  With the 3Com router, I can, from another internal computer,
> access that server via the external interface (ie, by going
> http://publicaddress).  When I throw in my Linux router, it does not
> do that, and user's have to use the internal IP or host name to access
> the device.
>

What rules have you wrote?
an
iptables -t nat -A PREROUTING -s local_addrs/mask -d ip_addrs \
	 -p tcp --dport http -j DNAT --to-destionation internal_web
and the respective
iptables -t nat -A POSTROUTING -d internal_web -p tcp --dport http -j 
SNAT --to-source gw_ip

must to the trick.

So the request stay inside the lan and there is no "loops"

Michele

Re: Port Forwarding Question

[Aaron Clausen]

On Fri, May 8, 2009 at 08:57, Michele Petrazzo - Unipex
<michele.petrazzo@unipex.it> wrote:
> Aaron Clausen wrote:
>>
>>  With the 3Com router, I can, from another internal computer,
>> access that server via the external interface (ie, by going
>> http://publicaddress).  When I throw in my Linux router, it does not
>> do that, and user's have to use the internal IP or host name to access
>> the device.
>>
>
> What rules have you wrote?
> an
> iptables -t nat -A PREROUTING -s local_addrs/mask -d ip_addrs \
>         -p tcp --dport http -j DNAT --to-destionation internal_web
> and the respective
> iptables -t nat -A POSTROUTING -d internal_web -p tcp --dport http -j SNAT
> --to-source gw_ip
>
> must to the trick.
>
> So the request stay inside the lan and there is no "loops"

How do write this if the WAN IP is supplied via DHCP?


--
Aaron Clausen
mightymartianca@gmail.com

Re: Port Forwarding Question

[Покотиленко Костик]

В Вск, 17/05/2009 в 14:54 -0700, Aaron Clausen пишет:
> On Fri, May 8, 2009 at 08:57, Michele Petrazzo - Unipex
> <michele.petrazzo@unipex.it> wrote:
> > Aaron Clausen wrote:
> >>
> >>  With the 3Com router, I can, from another internal computer,
> >> access that server via the external interface (ie, by going
> >> http://publicaddress).  When I throw in my Linux router, it does not
> >> do that, and user's have to use the internal IP or host name to access
> >> the device.
> >>
> >
> > What rules have you wrote?
> > an
> > iptables -t nat -A PREROUTING -s local_addrs/mask -d ip_addrs \
> >         -p tcp --dport http -j DNAT --to-destionation internal_web
> > and the respective
> > iptables -t nat -A POSTROUTING -d internal_web -p tcp --dport http -j SNAT
> > --to-source gw_ip
> >
> > must to the trick.
> >
> > So the request stay inside the lan and there is no "loops"
> 
> How do write this if the WAN IP is supplied via DHCP?

-j MASQUERADE

-- 
Покотиленко Костик <casper@meteor.dp.ua>