Port forwarding for iptables (DMZ)

Posted by Steve on Fri 7 Jan 2005 at 10:52

Tags: , ,

If you have a network gateway which is running Linux you might sometimes want to allow access to machines behind it from the internet.

This is simple enough to do with iptables, which you will probably be using for the gateway's normal operation anyway.

Normally you'd deny all incoming connections to a gateway machine as opening up services and ports could be a security risk.

If you have a gateway machine and wish to forward connections on port 80 to an internal machine then you'd create the following rules:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT

These two rules are fairly simple - the first says that all incoming tcp connections arriving destined for port 80 should be sent to the internal machine 192.168.1.50 (also on port 80).

This rule alone doesn't do the job though, we also have to accept the incoming connection. This is the job of the second rule which says that new connections on port 80 should be accepted on the external device eth1.

To increase security you could limit this forwarding to only work when connections are coming from a particular address with the use of the "--source" flag:

iptables -A PREROUTING -t nat -i eth1 -p tcp --source 11.22.33.44 \
--dport 80 -j DNAT --to 192.168.1.50:80
Add Comment XML logo Printable version

 

<<< Setting up a secure CVS server with OpenSSH This site's code is now available >>>

#1
Re: Port forwarding for iptables (DMZ)
Posted by aphid7 (81.168.xx.xx) on Mon 7 Feb 2005 at 19:11
[ Send Message ]
After the first iptable rule, connection to gatewy on port 80 is rerouted and sent to FORWARD, not to INPUT on gateway machine. The second rule must be: iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.1.50 --dport 80 -j ACCEPT

[ Parent | Reply to this comment ]

#2
Re: Port forwarding for iptables (DMZ)
Posted by Steve (82.41.xx.xx) on Mon 7 Feb 2005 at 19:20
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Strange, as the rules work as described above...

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

#4
Re: Port forwarding for iptables (DMZ)
Posted by wschee (146.6.xx.xx) on Fri 4 Nov 2005 at 16:07
[ Send Message ]
I think that was because your default policy for FORWARD was ACCEPT.
If you try rc.firewall from http://iptables-tutorial.frozentux.net/iptables-tutorial.html#RCF IREWALLFILE,
you will see the difference, where the default policy for FORWARD is DROP instead of FORWARD.

[ Parent | Reply to this comment ]

#12
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (217.147.xx.xx) on Sun 26 Nov 2006 at 00:18
This is definately true.... I suggest you update the article to say the correct thing.

[ Parent | Reply to this comment ]

#15
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (122.168.xx.xx) on Tue 3 Apr 2007 at 15:02
very correct. the connection after DNATting do get rerouted to the FORWARD chain. Somebody correct this article..

[ Parent | Reply to this comment ]

#3
Re: Port forwarding for iptables (DMZ)
Posted by RTB (82.41.xx.xx) on Tue 11 Oct 2005 at 23:01
[ Send Message | View Weblogs ]
Hi,
first post:/

this may sound stupid!, but would this work with the openSSH,
as in replacing the port 80 to port 22-?, just that id like to be safe than sorry

this is a really good site for new Debian users like my self !!
keep up the good work gents!!

[ Parent | Reply to this comment ]

#5
Re: Port forwarding for iptables (DMZ)
Posted by Steve (82.41.xx.xx) on Fri 4 Nov 2005 at 16:10
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Don't forget the ladies too!

Yes it should work for other ports too, so you have nothing to worry about.

Steve
--

[ Parent | Reply to this comment ]

#6
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (24.197.xx.xx) on Tue 8 Nov 2005 at 03:43
Id like to be able to connect to 'tor' (on port 9050) from a PC on the LAN. Since tor only accpets connection from localhost, what command would i use to make 10.0.0.1 be able to access tor on port 9050? Ive tried a few combinations of the commands above, but no luck.

[ Parent | Reply to this comment ]

#7
Re: Port forwarding for iptables (DMZ)
Posted by Steve (82.41.xx.xx) on Tue 8 Nov 2005 at 11:56
[ Send Message | View Steve's Scratchpad | View Weblogs ]

It would make more sense to change the tor configuration to allow it to bind upon the external address - rather than using iptables for this.

Look at the configuration files under /etc/tor.

Steve
--

[ Parent | Reply to this comment ]

#8
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (141.85.xx.xx) on Mon 12 Dec 2005 at 17:51
Hello...I have a small problem with debian as well.
I have a server with debian that holds an entire network.
I have an internal ip like everyone else,and only 1 ip for the server,that everyone else uses.
I want to open a port on the server so I can become conectable on trackers for torrents,can any1 help me?

[ Parent | Reply to this comment ]

#16
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (82.211.xx.xx) on Fri 11 May 2007 at 12:33
No it should not.

Unless you stop explaining things before you understand how they work and correct your article.

Forwarded packets DON'T enter -t filter INPUT chain.

Please don't confuse people.

[ Parent | Reply to this comment ]

#17
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (130.13.xx.xx) on Fri 15 Feb 2008 at 18:04
I've struggled for 5 days looking for information on how to forward ports through my Linux gateway and read almost every article about the subject. Beautiful articles but none of them worked. Suddenly, I copy the first two rules, change the internal IP and paste them into Putty, save and restart iptables et voila they worked like a charm. Therefore, I'd go with what works.

Thanks Steve, you're a life saver!

Martha

[ Parent | Reply to this comment ]

#9
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (59.184.xx.xx) on Tue 20 Dec 2005 at 12:09
how to use ip from dmz (iptable)
how to config isa 2004 dmz

[ Parent | Reply to this comment ]

#10
Re: Port forwarding for iptables (DMZ)
Posted by Sluggoman (68.147.xx.xx) on Sun 13 Aug 2006 at 00:55
[ Send Message ]
hmmmm - not sure if I've missed something - I've tried this and it doesn't seem to work - is there anything else I need to do? restart networking? I have a front end Debian box doing NAT, DHCP, DNS, Apache etc. I am using ipmasq for the "natting". Inside the network I have three independant network camera's with internal IP addresses that I would like to forward traffic to from the external interface - so I need to use various non-standard ports externally and forward it to port 80 at the appropriate IP's on the inside - do I need a second rule to allow NAT traffic back out the internal interface?

ie. - what should the rule set be if I want to route external traffic received on port 8090 to the internal IP 10.0.1.211:80 to allow the webserver traffic back to a browser on the internet?

TIA

[ Parent | Reply to this comment ]

#11
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (12.218.xx.xx) on Sat 18 Nov 2006 at 05:13
My question is.. I see its either a TCP OR a UDP forward.. I need to know how to forward both.. I've tried making a seperate one for each, but it does not work.. Anyone able to offer any advise?

[ Parent | Reply to this comment ]

#13
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (212.76.xx.xx) on Wed 6 Dec 2006 at 12:30
I second what has been mentioned earlier. The second rule should be FORWARD instead of INPUT. After the prerouting the FORWARD chain is invoked, this is particularly true of recent versions of iptables. So could someone please edit this article.

[ Parent | Reply to this comment ]

#14
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (86.55.xx.xx) on Sun 24 Dec 2006 at 03:49
very useful and correct.

[ Parent | Reply to this comment ]

#18
Re: Port forwarding for iptables (DMZ)
Posted by sgla1 (206.72.xx.xx) on Sun 16 Mar 2008 at 23:57
[ Send Message ]

Hi Steve,

I know this is an old post but my experiments indicate you got something wrong that may frustrate people new to iptables firewalls.

is:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT

should be:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.50 --dport 80 -j ACCEPT

Your packet is going to enter the nat table's PREROUTING chain, then pass to the input table's FORWARD chain so that it can be sent from eth1 to eth0 and to it's destination.

[ Parent | Reply to this comment ]

#19
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (84.2.xx.xx) on Sat 22 Mar 2008 at 11:18
INPUT should be FORWARD.

The rest is ok.

[ Parent | Reply to this comment ]

#20
Re: Port forwarding for iptables (DMZ)
Posted by Anonymous (79.42.xx.xx) on Mon 12 May 2008 at 11:13
It doesn't make any sence , there must be a ForWARD Chain not an Input ....

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search