+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
*nix Thread, IPTables Port Forwarding in Technical; So, I'm having a play with IPTables, with the aim of getting rid of our ISA box (there's no need ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,879
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838

    IPTables Port Forwarding

    So, I'm having a play with IPTables, with the aim of getting rid of our ISA box (there's no need to pay for a proxy!)

    The thing that is odd about our network is this - it is a single port 'firewall', as we are on a WAN.

    So, what I'd like to do is this, port forward all requests for port 80 to another web server. I have the following rules in the iptables.up.rules file in /etc/ (created via webmin):

    -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.5.143.125:80

    -A FORWARD -p tcp -m tcp -d 10.5.143.125 --dport 80 -j ACCEPT

    Yet, when I navigate to the that machine in a browser, nothing happens. It just hangs.

    Any ideas?

  2. #2


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Have you enabled ip forwarding:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,879
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by CyberNerd View Post
    Have you enabled ip forwarding:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    I hadn't. But now I have and no change.

  4. #4


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    when you navigate to the ip of the router, I assume that you are coming from the external interface? try that.

    It might be worth posting your nat rules
    Code:
    /sbin/iptables -t nat -L
    Have you thought about using shorewall
    Shoreline Firewall
    iptables can be a bit of a headspin IMHO

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,879
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by CyberNerd View Post
    when you navigate to the ip of the router, I assume that you are coming from the external interface? try that.

    It might be worth posting your nat rules
    Code:
    /sbin/iptables -t nat -L
    Have you thought about using shorewall
    Shoreline Firewall
    iptables can be a bit of a headspin IMHO
    As I said earlier, it only has one interface. I want it to work in the same way ISA does at the moment, namely, it has a single port.

    I don't want to have a firewall sat in between our network and our LEA WAN, as this would complicate their remote support somewhat. But if it has to be, i'll investigate it when I do out IP address range move later in the year.

  6. #6

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by CyberNerd View Post
    Have you enabled ip forwarding:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    Forwarding is for true public routing, here localzuk wants masquerading. The PREROUTING rule that's already in should be enough.

    Quote Originally Posted by CyberNerd View Post
    when you navigate to the ip of the router, I assume that you are coming from the external interface? try that.
    With the prerouting rule in the OP, it shouldn't matter.

    It might be worth posting your nat rules
    Code:
    /sbin/iptables -t nat -L
    And iptables -L please.

  7. #7


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    I misunderstood, maybe you just need to install a squid server and have that look at your upstream webserver

  8. #8


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Forwarding is for true public routing, here localzuk wants masquerading. The PREROUTING rule that's already in should be enough.
    yes, I thought that was what he was trying to achieve, I misread the OP wrt 'single port'

  9. #9

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,879
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Code:
    iptables -L
    
    Chain INPUT (policy ACCEPT)
    target     prot    opt    source                   destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot    opt    source                   destination
    ACCEPT   tcp     --     anywhere               10.5.143.125               tcp   dpt:www
    
    Chain OUTPUT (policy ACCEPT)
    target     prot    opt    source                   destination
    Code:
    iptables -t nat -L
    
    Chain PREROUTING (policy ACCEPT)
    target     prot    opt    source                   destination
    DNAT      tcp     --      anywhere               anywhere               tcp   dpt:www   to:10.5.143.125:80
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot    opt    source                   destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot    opt    source                   destination
    And Squid is no use, it is currently on the same box, proxying requests on 8080 out, and also, I will also want to forward a few other ports at some point too (non http). (Also, the web server is on-site, with requests coming in from outside, not the other way round).

  10. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    sorry to keep deviating your iptables question away from iptables (only because I can't answer it!), how about serving a proxyconfig.pac file to your browsers so that they get routed directly, rather than having your server re-direct them. Apologies if I keep misunderstanding what you are trying to do.

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,879
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by CyberNerd View Post
    sorry to keep deviating your iptables question away from iptables (only because I can't answer it!), how about serving a proxyconfig.pac file to your browsers so that they get routed directly, rather than having your server re-direct them. Apologies if I keep misunderstanding what you are trying to do.
    That's no use either. We have a webserver in our rack, which people can get to on the internet. This is done via a publishing rule on our ISA server (which only has a private IP address, but has a public address somewhere with Somerset or SWGfL, but I don't concern myself with that as I have no control over it). So, the only IP's we have in here are private (10.5.x.x etc...). So... The way we get our webserver on the net is by having all requests come in to a single address (at the moment our ISA box) which does all the handling of forwarding etc...) - this allows us to forward multiple servers on the same IP address, using different ports. The ISA also does proxying/caching.

    We want to do this with Ubuntu, iptables and squid.

  12. #12

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    maybe?

  13. #13

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,879
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by RabbieBurns View Post
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    maybe?
    No difference.

    When I do an nmap to the machine, port 80 comes up as 'filtered', which i'm guessing isn't right...

  14. #14

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,879
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Any more ideas from all you *nix gurus?

  15. #15


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    add another nic ?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. D-Link DIR-655 router - Port Forwarding or Virtual Server?
    By link470 in forum Wireless Networks
    Replies: 10
    Last Post: 4th January 2012, 05:18 PM
  2. Cachepilot port forwarding
    By localzuk in forum General Chat
    Replies: 6
    Last Post: 29th October 2008, 08:55 AM
  3. IPTables - Port rules
    By ahuxham in forum *nix
    Replies: 2
    Last Post: 17th September 2008, 02:56 PM
  4. port forwarding problem
    By IA76 in forum Wireless Networks
    Replies: 3
    Last Post: 15th August 2008, 01:29 PM
  5. Replies: 3
    Last Post: 19th February 2008, 10:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •