IPTables and Port Forwarding? 41
$hy_guy asks: "I have
been totally striking out finding some info on how to do port forwarding in
Linux. I am currently running Mandrake 8.1 as my router and i would like
to forward a particular port to another machine on my LAN. I'm pretty
sure I have to use iptables but I have been very unsuccesful at the proper
syntax. I have scoured through Google and I have not really found any
useful info. I would appreciate just a link or something to point me the
correct direction. Thanks for the help" I know many of you may think this
is an FAQ, but it seems that IPTables confuses many people as this is not
the first time this question has hit the bin. If someone has a good general
reference on the use of IPTables, please share.
Check MonMotha's IPTables scripts... (Score:2, Informative)
Docs abound (Score:4, Informative)
Home page: http://www.netfilter.org/ [netfilter.org]
FAQs: http://www.netfilter.org/documentation/FAQ/netfil
Excellent HOWTOs: http://www.netfilter.org/documentation/index.html
google and howto (Score:2, Redundant)
Why is that so hard?
gus
Re:google and howto (Score:4, Informative)
Go ahead, Google "iptables port forwarding" and see how much worse those results are.
This just goes to show that we need more basic user education. RTFM should be preceded by RTFH (Read The Fucking HOWTO!) so that people at least know what to look for when they're stumped.
Kids these days...
pffff (Score:3, Informative)
Step one: go to http://www.netfilter.org [netfilter.org]
step two: find the HOWTO section
step three: fifth line of the HTML version of the NAT-HOWTO reads like this: This document describes how to do masquerading, transparent proxying, port forwarding, and other forms of Network Address Translations with the 2.4 Linux Kernels.
step four:Wait, there's no step four... there's no step four!
Quentin
'tis Quite Easy (Score:5, Informative)
The syntax for port forwarding is:
iptables -t nat -I PREROUTING -p <protocol> --dport <destination port> -j DNAT --to-destination <destination IP>:<destination port>
Note that you can remap port numbers, too, if need be (ie. traffic coming in on port 80 is redirected internally to port 5000).
Make sure you have the destination NAT target compiled in (I think it might be, by default), and make sure you enable all the NAT stuff you need.
Re:Limiting access by username (Score:2, Informative)
But there's another way:
owner
This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
--uid-owner userid
Matches if the packet was created by a process with the given effective user id.
--gid-owner groupid
Matches if the packet was created by a process with the given effective group id.
--pid-owner processid
Matches if the packet was created by a process with the given process id.
--sid-owner sessionid
Matches if the packet was created by a process in the given session group.
And with Iptables 1.2.5 [samba.org] you can even establish quotas per user.
Re:Limiting access by username (Score:1)
Re:Limiting access by username (Score:1)
Yes, I did actually do the port forwarding by IP, since anyone who has Remotely Anywhere access has a static IP on their station.
But the outgoing connections are limited by NT username.
Re:'tis Quite Easy (Score:1)
Re:'tis Quite Easy (Score:1)
The 'nbtstat' method has a few disadvantages, including the fact that if a user logs onto two stations at once, only the most recently logged-on station will return a user name, and also that the returned ID codes (0x03) are the same for machine name and username...
The daemon method is more-or-less foolproof, but you need to deploy all the daemons... easy if you have login scripts set up from a centralized server, but a pain in the ass if you don't. Plus, you'd need to write the daemon software. Shouldn't be more than 100 lines or so (at most).
In either case, you have to queue packets to userspace by using the appropriate kernel module (ip_queue, IIRC), and a QUEUE target in your iptables rules.
Took me a while to figure out, too, and you have to decide which model is best for your network.
Either way, you basically need to write at least SOME code, so this is not for the faint of heart!
Good luck!
Here's how to forward a port. (Score:1)
(To forward port 80 to 192.168.1.2 on LAN. eth0 is your external interface)
Linux advanced routing how-to (Score:2, Informative)
Here's how (Score:4, Informative)
OK here's an example: our gateway is 192.168.0.1 with lan interface eth0 and internet interface eth1. We want to redirect port 21 (FTP) to the machine 192.168.0.10
First of all, we need to add a rule matching incoming data to port 21. We use the PREROUTING chain in the NAT table:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination 192.168.0.10
This says: in the network address translation table and the chain that deals with incoming data prior to routing, and if the data is coming in from the internet and wants to go to TCP port 21 (ftp), DNAT (destination network address translate) it to transparently make it go to 192.168.0.10
Here's a generic template:
iptables -t nat -A PREROUTING -i [net interface] [selection rules - proto, port] -j DNAT --to-destination [ip on lan]
You can also redirect to a different port number, in the above example to redirect to 192.168.0.10 port 321 it would be:
--to-destination 192.168.0.10:321
As for this being an FAQ, I am aware of no such references on IPTables, and it doesn't matter. I think the manual page provides more than sufficient information to get you started. If you don't understand it, then you should not be administering a gateway of any kind!
Re:Here's how (Score:1)
Now, you have to add a FORWARD ACCEPT statement (in the default table) like this:
iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.2 --dport 21 -j ACCEPT
Another thing, is that for ftp traffic to work, you'll need an state of RELATED to be entered somewhere.
Re:Here's how (Score:2)
My setup... (Score:2)
It handles all my iptables configuration, including NAT with port forwarding.
Linux Journal (Score:1)
Re:Linux Journal (Score:2)
I just ran across it today when setting up a network. (You would think I would have remembered, considering that I wrote the article.)
FwBuilder ROCKS ! (Score:2, Interesting)
It's a totally object based graphical tool for building a firewall. You can just drag and drop "services" (ports) to create port mappings, drap and drop machines, other firewalls, networks, etc to determin who gets to do what.
Has a nice little druid in it to get you a working setup that you can modify to better suit your needs.
Really. Check it out.
Re:FwBuilder ROCKS ! (Score:1)
make patch-o-matic (Score:1)
Just download iptables [samba.org], uncompress it, and run 'make patch-o-matic', provided you have a source tree in
The NETMAP patch:
Author: Svenning Soerensen
Status: Experimental
This adds CONFIG_IP_NF_TARGET_NETMAP option, which provides a target for the nat table. It creates a static 1:1 mapping of the network address, while keeping host addresses intact. It can be applied to the PREROUTING chain to alter the destination of incoming connections, to the POSTROUTING chain to alter the source of outgoing connections, or both (with separate rules).
Examples:
iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
iptables -t nat -A POSTROUTING -s 5.6.7.0/24 -j NETMAP --to 1.2.3.0/24
---
The TTL patch:
Author: Harald Welte
Status: Stable, needs new checksum handling
This adds CONFIG_IP_NF_TARGET_TTL option, which enables the user to set the TTL value of an IP packet or to increment / decrement it by a given value.
---
The iplimit patch:
Author: Gerd Knorr
Status: ItWorksForMe[tm]
This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
Examples:
# allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT
# you can also match the other way around: iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 --iplimit-mask 24 -j REJECT
---
The random patch:
Author: Fabrice MARIE
Status: Works For Me.
This option adds CONFIG_IP_NF_MATCH_RANDOM, which allow you to match packets randomly following a given probability.
Suppported options are:
[--average] percent will match randomly packets with a probability of 'percent' default is 50%
---
The string patch:
Author: Emmanuel Roger
Status: Working, not with kernel 2.4.9
This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to match a string in a whole packet.
---
and iptables 1.2.5 , wich I haven't compiled yet, so cannot tell for sure, has something that seems to be awesome... New quota match to have fixed IP quotas
Detailed instructions, Using mdk 8.1 (Score:3, Informative)
Pleasee see my page [hackorama.com] with detailed instructions on how I did port forwarding on my Mandrake 8.1 box, which uses Bastille scripts to generate the Iptable rules.
SOCKS (Score:1)
David
Re:SOCKS (Score:1)
Re:SOCKS (Score:2)
David
Here's Mine (Score:1)
iface eth1 inet static
address 209.195.xxx.xxx
netmask 255.255.255.224
gateway 209.195.xxx.xxx
iface eth0 inet static
address 10.10.10.1
netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
up
up
up
up
up
up
up
up
up
up
up
up
gShield is very good (Score:2)
support for multiple NATs, configurable public service access, access control lists, routable protection, DMZ support, port-forwarding, MAC-specific filtering, configurable outgoing filtering, blacklists, support for transparent proxy, QoS marking of common transports and more.
I use it at work and at home. One caveat since you are using Mandrake: gShield.rc is not a SysVinit script, so