[Ubuntu] IPTables Port Forwarding

[localzuk]

So, I'm having a play with IPTables, with the aim of getting rid of our ISA box (there's no need to pay for a proxy!)

The thing that is odd about our network is this - it is a single port 'firewall', as we are on a WAN.

So, what I'd like to do is this, port forward all requests for port 80 to another web server. I have the following rules in the iptables.up.rules file in /etc/ (created via webmin):

-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.5.143.125:80

-A FORWARD -p tcp -m tcp -d 10.5.143.125 --dport 80 -j ACCEPT

Yet, when I navigate to the that machine in a browser, nothing happens. It just hangs.

Any ideas?

[CyberNerd]

Have you enabled ip forwarding:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

[localzuk]

Have you enabled ip forwarding:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

I hadn't. But now I have and no change.

[CyberNerd]

when you navigate to the ip of the router, I assume that you are coming from the external interface? try that.

It might be worth posting your nat rules

Code:

/sbin/iptables -t nat -L

Have you thought about using shorewall
Shoreline Firewall
iptables can be a bit of a headspin IMHO

[localzuk]

when you navigate to the ip of the router, I assume that you are coming from the external interface? try that.

It might be worth posting your nat rules

Code:

/sbin/iptables -t nat -L

Have you thought about using shorewall
Shoreline Firewall
iptables can be a bit of a headspin IMHO

As I said earlier, it only has one interface. I want it to work in the same way ISA does at the moment, namely, it has a single port.

I don't want to have a firewall sat in between our network and our LEA WAN, as this would complicate their remote support somewhat. But if it has to be, i'll investigate it when I do out IP address range move later in the year.

[powdarrmonkey]

Have you enabled ip forwarding:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Forwarding is for true public routing, here localzuk wants masquerading. The PREROUTING rule that's already in should be enough.

when you navigate to the ip of the router, I assume that you are coming from the external interface? try that.

With the prerouting rule in the OP, it shouldn't matter.

It might be worth posting your nat rules

Code:

/sbin/iptables -t nat -L

And iptables -L please.

[CyberNerd]

I misunderstood, maybe you just need to install a squid server and have that look at your upstream webserver

[CyberNerd]

Forwarding is for true public routing, here localzuk wants masquerading. The PREROUTING rule that's already in should be enough.

yes, I thought that was what he was trying to achieve, I misread the OP wrt 'single port'

[localzuk]

Code:

iptables -L

Chain INPUT (policy ACCEPT)
target     prot    opt    source                   destination

Chain FORWARD (policy ACCEPT)
target     prot    opt    source                   destination
ACCEPT   tcp     --     anywhere               10.5.143.125               tcp   dpt:www

Chain OUTPUT (policy ACCEPT)
target     prot    opt    source                   destination

Code:

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot    opt    source                   destination
DNAT      tcp     --      anywhere               anywhere               tcp   dpt:www   to:10.5.143.125:80

Chain POSTROUTING (policy ACCEPT)
target     prot    opt    source                   destination

Chain OUTPUT (policy ACCEPT)
target     prot    opt    source                   destination

And Squid is no use, it is currently on the same box, proxying requests on 8080 out, and also, I will also want to forward a few other ports at some point too (non http). (Also, the web server is on-site, with requests coming in from outside, not the other way round).

[CyberNerd]

sorry to keep deviating your iptables question away from iptables (only because I can't answer it!), how about serving a proxyconfig.pac file to your browsers so that they get routed directly, rather than having your server re-direct them. Apologies if I keep misunderstanding what you are trying to do.

[localzuk]

sorry to keep deviating your iptables question away from iptables (only because I can't answer it!), how about serving a proxyconfig.pac file to your browsers so that they get routed directly, rather than having your server re-direct them. Apologies if I keep misunderstanding what you are trying to do.

That's no use either. We have a webserver in our rack, which people can get to on the internet. This is done via a publishing rule on our ISA server (which only has a private IP address, but has a public address somewhere with Somerset or SWGfL, but I don't concern myself with that as I have no control over it). So, the only IP's we have in here are private (10.5.x.x etc...). So... The way we get our webserver on the net is by having all requests come in to a single address (at the moment our ISA box) which does all the handling of forwarding etc...) - this allows us to forward multiple servers on the same IP address, using different ports. The ISA also does proxying/caching.

We want to do this with Ubuntu, iptables and squid.

[RabbieBurns]

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

maybe?

[localzuk]

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

maybe?

No difference.

When I do an nmap to the machine, port 80 comes up as 'filtered', which i'm guessing isn't right...

[localzuk]

Any more ideas from all you *nix gurus?

[CyberNerd]

add another nic ?