Re: Port Forwarding: Why so hard?

From: Bryn Sadler (syslundy@hotmail.com)
Date: 03/11/03 

From: "Bryn Sadler" <syslundy@hotmail.com>
Date: Tue, 11 Mar 2003 13:54:00 -0000

Do you have a rules set up in the FORWARD chain to explicitly allow all
established and related tcp sessions?

Something like:
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

Also, it seems to me that you can't have that -d 10.0.10.150 switch in the
SNAT chain, cos you've never SNATed it to the firewall internal IP: the web
server will see a packet coming from the original box and try to reply to
it. if you SNAT the incoming HTTP packets to make them appear as though they
originate from the firewall, the firewall will then handle the routing and
it should work.

Caveat:
Please bear in mind that I am still hungover, and therefore may not be
thinking clearly. Or at all.

Good luck,
B

"Greg Smith" <grsmith@F4stR1v3r.com> wrote in message
news:5Wiba.10513$Ty5.994051@news0.telusplanet.net...
> I have now spent days, literally days, trying to get a simple port
> forwarding setup going.
>
> Redhat 7.3 box with external interface eth1 and address aaa.bbb.ccc.ddd
and
> internal address 10.010.150 on eth0. I want to forward port 80 to an
> internal box at 10.0.10.3. The latest port forwarding rules I've been
able
> to glean from newsgroups, Google searches, etc is the following:
>
> #Let stuff in and rewrite to go to 10.0.10.3
> iptables -t nat -A PREROUTING -p tcp -i eth1 -d aaa.bbb.cc.ddd --dport
> 80 -j
> DNAT --to 10.0.10.3:80
>
> #Forward the re-written packets to the internal web server
> iptables -A FORWARD -p tcp -i eth1 -d 10.0.10.3 --dport 80 -j ACCEPT
>
> #Let the answers back out.
> iptables -t nat -A POSTROUTING -p tcp -s 10.0.10.3 -d 10.0.10.150 --dport
> 80 -j SNAT --to 216.18.9.125:80
>
> I've tried several incarnations of each of these but nothing happens.
>
> Ideas please as I am going quite nuts.
>
>
>
>

Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: problem with dmz firewall script - cant connect to inet via plan
    ... > can anyone tell me why my firewall script is not working correctly. ... I have a dmz and seperate trusted private lan multihomed on the ... > # Create chain for bad tcp packets ...
    (comp.os.linux.security)
  • Re: how nmap can know my firewalled servers ?
    ... external interface packets will be rejected with RST packets and packets ... Dropping traffic at a firewall violates RFC and makes it ... PORT STATE SERVICE ... Chain INPUT ...
    (Security-Basics)
  • Re: iptables isnt blocking IP
    ... and expect that packets will automagically go through it. ... So INPUT chain of filter table, ... Have that in mind if your firewall rules are ... custom chains, you must explicitly "jump" into them from one of built-in ...
    (Fedora)
  • iptables -> DNAT & SNAT
    ... i want to redirect everything going to the internet to be redirected ... Chain POSTROUTING (policy ACCEPT 2 packets, ... the firewall, but i will ignore that for now. ...
    (comp.os.linux.security)
Quantcast