On Wednesday 11 December 2002 16:15, Claus Weber wrote:
Hello,
I have got a problem with portforwarding with iptables. Situation: I have got a Host (2 Interfaces, one with official IP-Adress, one private) that shold forward incoming tcp-connections on a specific port to a second host in the private net.
My specific rules: $IPTABLES -A FORWARD -i $IF -o $INTIF -m state --state NEW,ESTABLISHED -p tcp -s $i -d 192.168.10.4 --dport 4899 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $IF -m state --state ESTABLISHED -p tcp -s 192.168.10.4 --sport 4899 -d $i -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $IF -p tcp --dport 4899 -j DNAT --to-destination 192.168.10.4:4899
where $IF is the external IF, $INTIF is the internal IF and $i is the permitted host IP.
I added Logging for debugging, then I tried telnetting from an external host:
Dec 11 15:51:23 hosting4 kernel: 4899 forward: IN=eth0 OUT=eth1 SRC=<external host> DST=192.168.10.4 LEN=60 TOS=0x10 PREC=0x00 TTL=57 ID=50329 DF PROTO=TCP SPT=3221 DPT=4899 WINDOW=32120 RES=0x00 SYN URGP=0
Seems, that packets are forwarded, but then??? Do I need an SNAT-rule for backward packets? Telnetting directly from this (forwarding)host works perfectly. Maybe you need some more rules. Those below should do a port forwarding. You could adopt them to your settings.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o <external if> -s <internal server> -d 0/0 -j SNAT --to-source <firewall> iptables -t nat -A PREROUTING -i <external if> -p tcp -s <external client> -d <firewall> --destination-port <forwarding port> -j DNAT --to-destination <internal server> iptables -A FORWARD -p tcp -m state --state NEW -s <external client> -d <internal server> --destination-port <forwarding port> -j ACCEPT Andreas