I have been googling and researching iptables and forwarding all day and
still can't figure this out. I am trying to set up some port forwarding.
Since I couldn't get it to work with my current firewall, I cleared it and
am using the following script. For this test I am trying to forward port
2222 on eth0 (the WAN) to another servers port 22 on the internal network
which should get to it on eth1. I am running a new install of a Redhat
2.6 kernel.



Here is my script, followed by the output and an iptables -vnL. I am really
hoping that someone can spot my mistake so that I can get this working. Not
sure if I have left something out of this installation or not.

Thanks in Advance

Steve

-----script-----------------------------------------------------------------
-

#!/bin/sh

#

# The location of the iptables and kernel module programs

IPTABLES=/sbin/iptables

DEPMOD=/sbin/depmod

MODPROBE=/sbin/modprobe

IFCONFIG=/sbin/ifconfig

GREP=/bin/grep

AWK=/bin/awk

SED=/bin/sed



#Setting the EXTERNAL and INTERNAL interfaces for the network

EXTIF="eth0"

INTIF="eth1"

echo " External Interface: $EXTIF"

echo " Internal Interface: $INTIF"



EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
's/.*://'`"



echo -en " loading modules: "



# Need to verify that all modules have all required dependencies

#

echo " - Verifying that all kernel modules are ok"

$DEPMOD -a



echo
"----------------------------------------------------------------------"



#Load the main body of the IPTABLES module - "iptable"

echo -en "ip_tables, "

$MODPROBE ip_tables



#Load the stateful connection tracking framework - "ip_conntrack"

echo -en "ip_conntrack, "

$MODPROBE ip_conntrack



#Load the FTP tracking mechanism for full FTP tracking

echo -en "ip_conntrack_ftp, "

$MODPROBE ip_conntrack_ftp



#Load the IRC tracking mechanism for full IRC tracking

echo -en "ip_conntrack_irc, "

$MODPROBE ip_conntrack_irc



#Load the general IPTABLES NAT code - "iptable_nat"

echo -en "iptable_nat, "

$MODPROBE iptable_nat



#Loads the FTP NAT functionality into the core IPTABLES code

echo -en "ip_nat_ftp, "

$MODPROBE ip_nat_ftp



#Loads the IRC NAT functionality into the core IPTABLES code

# Required to support NAT of IRC DCC requests

#

# Disabled by default -- remove the "#" on the next line to activate

#

#echo -e "ip_nat_irc"

#$MODPROBE ip_nat_irc

echo ""

echo
"----------------------------------------------------------------------"



echo -e " Done loading modules.
"



#CRITICAL: Enable IP forwarding since it is disabled by default since

echo " Enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward



#Clearing any previous configuration

echo " Clearing any existing rules and setting default policy.."

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

#$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -t nat -F



echo " FWD: Allow all connections OUT and only existing and related ones
IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG



echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE



# Allow forwarding of new and existing port 2222 connections from the
external

# interface. This rule is required as our default FORWARD policy is DENY.

#

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 2222 -m state

--state NEW,ESTABLISHED,RELATED -j ACCEPT





#Enable PORTFW of this port 2222 traffic from the external interface

#

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 2222 -m state

--state NEW,ESTABLISHED,RELATED -j DNAT --to 10.55.121.190:22



echo -e "
done.
"





------end of
script----------------------------------------------------------------------
----------------

-----------

Gives this output:

External Interface: eth0

Internal Interface: eth1

loading modules: - Verifying that all kernel modules are ok

----------------------------------------------------------------------

ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat,
ip_nat_ftp,

----------------------------------------------------------------------

Done loading modules.



Enabling forwarding..

Clearing any existing rules and setting default policy..

FWD: Allow all connections OUT and only existing and related ones IN

Enabling SNAT (MASQUERADE) functionality on eth0



done.







--------

iptables -vnL

Chain INPUT (policy ACCEPT 96 packets, 8090 bytes)

pkts bytes target prot opt in out source
destination



Chain FORWARD (policy ACCEPT 3 packets, 180 bytes)

pkts bytes target prot opt in out source
destination

0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED

0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0

0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4

0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 tcp dpt:2222 state NEW,RELATED,ESTABLISHED



Chain OUTPUT (policy ACCEPT 88 packets, 8248 bytes)

pkts bytes target prot opt in out source
destination



Chain RH-Firewall-1-INPUT (0 references)

pkts bytes target prot opt in out source
destination

0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0

0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255

0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80

0 0 ACCEPT all -- * * 10.0.0.0/8
0.0.0.0/0

0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0

0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0

0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 udp dpt:5353

0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631

0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:631

77 5728 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED

0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22

0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

On Thu, Jun 16, 2011 at 4:27 PM, Steven Buehler <steve@ibushost.com> wrote:
>
> I have been googling and researching iptables and forwarding all day and
> still can't figure this out.

Try something like this (untested):

# Make sure that this is set to 1 to enable forwarding.
cat /proc/sys/net/ipv4/ip_forward

# If it's not set, set it with:
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setup your iptables rules that you need to enable the forwarding. In
this example, I'm just forwarding traffic from a specific ip to
another another ip.

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 2222 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 -d <eth0_ip> --dport 2222
-j DNAT --to <internal_server_ip>:22
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


Romeo

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Romeo Theriault
> Sent: Thursday, June 16, 2011 4:22 PM
> To: General Red Hat Linux discussion list
> Subject: Re: iptables forwarding help
>
> On Thu, Jun 16, 2011 at 4:27 PM, Steven Buehler <steve@ibushost.com>
> wrote:
> >
> > I have been googling and researching iptables and forwarding all day
> > and still can't figure this out.
>
> Try something like this (untested):
>
> # Make sure that this is set to 1 to enable forwarding.
> cat /proc/sys/net/ipv4/ip_forward
>
> # If it's not set, set it with:
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Setup your iptables rules that you need to enable the forwarding. In
this
> example, I'm just forwarding traffic from a specific ip to another another
ip.
>
> iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 2222 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p tcp -
> i eth0 -d <eth0_ip> --dport 2222 -j DNAT --to <internal_server_ip>:22
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>

Thanks, it was the last line that I was missing
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list