Port forwarding for iptables (DMZ)
Posted by Steve on Fri 7 Jan 2005 at 10:52
If you have a network gateway which is running Linux you might sometimes want to allow access to machines behind it from the internet.
This is simple enough to do with iptables, which you will probably be using for the gateway's normal operation anyway.
Normally you'd deny all incoming connections to a gateway machine as opening up services and ports could be a security risk.
If you have a gateway machine and wish to forward connections on port 80 to an internal machine then you'd create the following rules:
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80 iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
These two rules are fairly simple - the first says that all incoming tcp connections arriving destined for port 80 should be sent to the internal machine 192.168.1.50 (also on port 80).
This rule alone doesn't do the job though, we also have to accept the incoming connection. This is the job of the second rule which says that new connections on port 80 should be accepted on the external device eth1.
To increase security you could limit this forwarding to only work when connections are coming from a particular address with the use of the "--source" flag:
iptables -A PREROUTING -t nat -i eth1 -p tcp --source 11.22.33.44 \ --dport 80 -j DNAT --to 192.168.1.50:80
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
If you try rc.firewall from http://iptables-tutorial.frozentux.net/iptables-tutorial.html#RCF IREWALLFILE,
you will see the difference, where the default policy for FORWARD is DROP instead of FORWARD.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
first post:/
this may sound stupid!, but would this work with the openSSH,
as in replacing the port 80 to port 22-?, just that id like to be safe than sorry
this is a really good site for new Debian users like my self !!
keep up the good work gents!!
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Don't forget the ladies too!
Yes it should work for other ports too, so you have nothing to worry about.
Steve
--
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
It would make more sense to change the tor configuration to allow it to bind upon the external address - rather than using iptables for this.
Look at the configuration files under /etc/tor.
Steve
--
[ Parent | Reply to this comment ]
I have a server with debian that holds an entire network.
I have an internal ip like everyone else,and only 1 ip for the server,that everyone else uses.
I want to open a port on the server so I can become conectable on trackers for torrents,can any1 help me?
[ Parent | Reply to this comment ]
Unless you stop explaining things before you understand how they work and correct your article.
Forwarded packets DON'T enter -t filter INPUT chain.
Please don't confuse people.
[ Parent | Reply to this comment ]
Thanks Steve, you're a life saver!
Martha
[ Parent | Reply to this comment ]
how to config isa 2004 dmz
[ Parent | Reply to this comment ]
ie. - what should the rule set be if I want to route external traffic received on port 8090 to the internal IP 10.0.1.211:80 to allow the webserver traffic back to a browser on the internet?
TIA
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Hi Steve,
I know this is an old post but my experiments indicate you got something wrong that may frustrate people new to iptables firewalls.
is:
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80 iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
should be:
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80 iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.50 --dport 80 -j ACCEPT
Your packet is going to enter the nat table's PREROUTING chain, then pass to the input table's FORWARD chain so that it can be sent from eth1 to eth0 and to it's destination.
[ Parent | Reply to this comment ]
The rest is ok.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]