Doubt about forwarding. Please, Help me!

Doubt about forwarding. Please, Help me!

[Morales Carlos]

Hello. I have a firewall blocking all the traffic from the Internet to my local network, but I need to let an external host (extHOST) to access the port 8888 (for example) of an internal host (intHOST). Is this correct? The external lan adapter is eth1.

 /sbin/iptables -t nat -A PORTFW -p tcp -i eth1 -s extHOST --dport 8888 -j DNAT --to-destination intHOST:8888

Thaks, please email me to cmmorales@mail.com 
Carlos




-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

Re: Doubt about forwarding. Please, Help me!

[Francesco Ciocchetti]

Morales Carlos wrote:

>Hello. I have a firewall blocking all the traffic from the Internet to my local network, but I need to let an external host (extHOST) to access the port 8888 (for example) of an internal host (intHOST). Is this correct? The external lan adapter is eth1.
>
> /sbin/iptables -t nat -A PORTFW -p tcp -i eth1 -s extHOST --dport 8888 -j DNAT --to-destination intHOST:8888
>
>Thaks, please email me to cmmorales@mail.com 
>Carlos
>
>
>
>
>  
>
As long as in PREROUTING Chain of nat table there is a JUMP to PORTFW it
is ok.

What you need is to have a DNAT in nat table PREROUTING chain , and a
rule to allow traffic to the DNATTED dst port 8888 in the filter table
FORWARD chain.

Bye
Francesco

Re: Doubt about forwarding. Please, Help me!

[Sergio Basurto Juarez]

--- Morales Carlos <cmmorales@mail.com> wrote:

> Hello. I have a firewall blocking all the traffic
> from the Internet to my local network, but I need to
> let an external host (extHOST) to access the port
> 8888 (for example) of an internal host (intHOST). Is
> this correct? The external lan adapter is eth1.
> 
>  /sbin/iptables -t nat -A PORTFW -p tcp -i eth1 -s
> extHOST --dport 8888 -j DNAT --to-destination
> intHOST:8888
> 
> Thaks, please email me to cmmorales@mail.com 
> Carlos
> 

Your iptables is good, if you are new to iptables may
be is better instert your rule in the chain PREROUTING
so the rule comes like:

iptables -t nat -A PREROUTING -p tcp -i eth1 -s
extHOST --dport 8888 -j DNAT --to intHOST:8888

Also remember to enable ip_forwarding with
echo "1" /proc/sys/net/ipv4/ip_forward

Besides you must have a couple of rules in the FORWARD
chain like:
# Letting go the traffic from your net to any where
iptables -I FORWARD -s $INTNET -d $UNIVERSE -j ACCEPT

# Now just letting in only the related traffic to a 
# connection that begins from your net.
iptables -A FORWARD -s $UNIVERSE -d $INTNET -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# Finally deny anything else.
iptables -A FORWARD -j DROP

I don't think you must have to DNATTED the output
traffic.

I hope this help.

Regards.

-- 
Sergio Basurto J.

If I have seen further it is by standing on the 
shoulders of giants. (Isaac Newton)
--

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Doubt about forwarding. Please, Help me!

[Morales Carlos]

Thak you Franceso, could you write the lines for that? I'm just beginning with netfilter. I'm LOST.
Thaks a lot.
Carlos

-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

Re: Doubt about forwarding. Please, Help me!

[Glaucius Djalma Pereira Junior]

iptables -t nat -A PREROUTING -p tcp --dport 8888 -i eth1 -d EXT_IP -j
DNAT --to INT_IP

and the rule to allow the packet back 

iptables -t nat -A POSRTOUTING -s INT_IP -p tcp --sport 8888 -j SNAT --to EXT_IP


simple, with this two single rules you can redirect the port to your
internal host

best regards 

-- 
Glaucius Djalma Pereira Junior
glaucius@gmail.com