Ubuntu

How To Setup Simple Port Forwarding

Asked by Curtis Lee Bolin

I am on a mixed network of computers. Some have direct Internet ip's and some don't. On one of the computers that has a direct Internet ip, I would like to forward connects to its port 80 to another computer on the network that doesn't have a direct Internet ip. I read a lot of iptables' documentation and came up with what I did below, but it doesn't seem to work.

Thank you for your time,
-Curt Lee

# iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 10.192.17.200 --dport 80 --sport 80 -m state --state NEW -j ACCEPT

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 10.192.17.200 tcp spt:www dpt:www state NEW

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Curtis Lee Bolin
Solved:
Last query:
Last reply:

This question was reopened

Revision history for this message
Curtis Lee Bolin (curtisleebolin) said : 		#1

*I would like to forward connects

Revision history for this message
Curtis Lee Bolin (curtisleebolin) said : 		#2

Well, I finally realized I could edit the question.

Revision history for this message
Bulat (bulatkjug) said : 		#3

I think that you are wrong at least in two things.

First of all - why should source port be 80 ? In most cases it'll be 1024 and up. So you should apply this rule to any source port or a range of source ports from 1024 and above.

Second - where's routing itself ? You've only specified an ACCEPT rule. (FORWARD rule is a filter rule for passing by packets - it is not rule that will reroute packets)

I think something like this'd be better:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 10.192.17.200:80
iptables -A FORWARD -p tcp -i eth0 -d 10.192.17.200 --dport 80 --sport 1024:65535 -j ACCEPT

where xxx.xxx.xxx.xxx your routers external IP-address. (also add -m, --state, etc. if you need them)

P.S. I'm not quite familiar with IPTABLES.

Revision history for this message
Bulat (bulatkjug) said : 		#4

Here's a good howto on IPTABLES:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

Revision history for this message
Curtis Lee Bolin (curtisleebolin) said : 		#5

Just thought I would post the Answer

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to (remote ip):80
# iptables -A FORWARD -p tcp -i eth0 -d (remote ip) --dport 80 -j ACCEPT

Revision history for this message
Tom (tom6) said : 		#6

Hi :)

Thanks for posting the answer to this question. Sorry no-one got back to your before now but it is appreciated when people post answers as it may help many people in the future by having a good answer in the "Solved Answers" database.

Thanks and regards from
Tom :)

Revision history for this message
Curtis Lee Bolin (curtisleebolin) said : 		#7

Please don't follow this post I made above:

>Just thought I would post the Answer
>
># echo 1 > /proc/sys/net/ipv4/ip_forward
># iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to >(remote ip):80
># iptables -A FORWARD -p tcp -i eth0 -d (remote ip) --dport 80 -j ACCEPT

I am posting a better solution to my problem.

Revision history for this message
Curtis Lee Bolin (curtisleebolin) said : 		#8

I first make a simple script clear the iptable after each test.
I made a text file named cleariptable then added the lines below to it.

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

run this to make it executable
chmod +x cleariptable

now just run this anytime you need to clear the changes you made
sudo ./cleariptable

Now for the actual forwarding. My interface was eth0. Change to whatever interface you need. I forwarded port 8022 on this computer to 192.168.0.110 port 22 on the remote computer

sudo su -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

sudo iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

sudo iptables -A PREROUTING -t nat -p tcp --dport 8022 -i eth0 -j DNAT --to-destination 192.168.0.110:22

Revision history for this message
Curtis Lee Bolin (curtisleebolin) said : 		#9

Also edit /etc/sysctrl.conf

uncomment this line (remove the # in front of it)
net.ipv4.ip_forward=1

Revision history for this message
Curtis Lee Bolin (curtisleebolin) said : 		#10

Once the iptable is set the way you want it, run:
sudo su -c "iptables-save > /etc/iptables.rules"

This will save it to "/etc/iptables.rules".
Next edit "/etc/network/interfaces"
add this line at the bottom:
pre-up iptables-restore < /etc/iptables.rules

That will restore the table after each network restart or computer reboot.

Sorry, my solution is so messy and many post. I will try to post this somewhere and post a link here.