Re: PLEASE HELP - trying to forward web traffic through firewall w/IPTABLES

From: Aymeric Duclert (aduclert_at_freesurf.fr)
Date: 08/16/03

Next message: Aymeric Duclert: "Gateway/forwarding problem between subnetworks"
Previous message: Bill Unruh: "Re: Using same line for voice and data... suggestions"
In reply to: Justin Morgan: "PLEASE HELP - trying to forward web traffic through firewall w/ IPTABLES"
Next in thread: Justin Morgan: "Re: PLEASE HELP - trying to forward web traffic through firewall w/IPTABLES"
Reply: Justin Morgan: "Re: PLEASE HELP - trying to forward web traffic through firewall w/IPTABLES"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 16 Aug 2003 14:43:33 -0700

Hi Justin,

I'm not at all an expert of iptables, but I have already done what you
want to do. I would suggest you these lines :

IPTABLES=/sbin/iptables
# The address translation
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT
--to 10.0.0.2:8080

Hope this helps you !

Aymeric

Justin Morgan <ebayuser3@mac.com> wrote in message news:<bhjve4$2qs$0@216.39.137.171>...
> Please help! I've tried reading the IPTABLES man page and scoured Google,
> but with no luck. I'm having trouble getting port forwarding to work...I'd
> like requests that come in to my firewall on port 80 to be forwarded to the
> private web host on port 8080.
>
> I'm certain that two or three extra lines in /etc/sysconfig/iptables will
> enable the functionality, but I've been unable to find the magic
> incantations.
>
> I have a pretty generic home office configuration. I'm running Red Hat 8
> and iptables on the firewall. The firewall has its own static IP address on
> an external Internet ethernet interface. It also has an internal interface
> to the private non-routable network (10.x.x.x). I'm using Network Address
> Translation to mask the private hosts behind the firewall. This is all
> working well.
>
> Now I've added a web server to my private network behind the firewall.
> Here's an ASCII diagram of the network:
>
> <INTERNET>
> |
> +--+--+
> | DSL |
> |modem|
> +--+--+
> |
> external static IP (eth0)
> +----+-----+
> | Firewall |
> | host |
> +----+-----+
> internal 10.0.0.1 (eth1)
> |
> +--+--+
> | hub |
> +--+--+
> |
> +-----------------+--------- . . .
> | |
> 10.0.0.2 10.0.0.3
> +----+-------+ +----+-----+
> | Web Server | | Other |
> |on port 8080| | machine |
> +------------+ +----------+
>
> Here are my current firewall rules from /etc/sysconfig/iptables.
>
> ----------------------------------------------------
>
> *filter
>
> # define the user-defined 'firewall' chain
> -N firewall
> # accept all mail connections on any interface for Sendmail/PostFix
> # from any interface
> # (note: 'mail' is defined in /etc/services, which iptables accepts)
> -A firewall -p tcp -m tcp --dport mail -j ACCEPT
> # accept all SSH connections from any interface
> -A firewall -p tcp -m tcp --dport ssh -j ACCEPT
> # accept all IMAPS connections on any interface (but not IMAP)
> -A firewall -p tcp -m tcp --dport imaps -j ACCEPT
> # accept all established and related connections from any interface
> -A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
> # accept all new connections as long as they are not from eth0
> # (ie, accept everything except from the Internet-facing interface)
> -A firewall -m state --state NEW -i ! eth0 -j ACCEPT
> # block everything else (eg, block the Internet-facing interface)
> -A firewall -j DROP
>
> # jump to that chain from the INPUT and FORWARD chains
> -A INPUT -j firewall
> -A FORWARD -j firewall
>
> COMMIT
>
> *nat
> # change source addresses to <my_external_ip_addr>
> -A POSTROUTING -o eth0 -j SNAT --to <my_external_ip_addr>
>
> COMMIT
>
> ----------------------------------------------------
>
> Many, many thanks for any help!
>
> - Justin

Next message: Aymeric Duclert: "Gateway/forwarding problem between subnetworks"
Previous message: Bill Unruh: "Re: Using same line for voice and data... suggestions"
In reply to: Justin Morgan: "PLEASE HELP - trying to forward web traffic through firewall w/ IPTABLES"
Next in thread: Justin Morgan: "Re: PLEASE HELP - trying to forward web traffic through firewall w/IPTABLES"
Reply: Justin Morgan: "Re: PLEASE HELP - trying to forward web traffic through firewall w/IPTABLES"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Questions on some wierd /var/log entries
... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
(comp.os.linux.misc)
Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
(comp.security.firewalls)
Re: Cable Modem, DHCP and IP Tables
... >> Any pointers on setting up RH 7.3 as a firewall between my ... > As far as the iptables coding, I have the iptables kick off ... Not that their is anything wrong with useing RH as the a router between your ... internal and the external network. ...
(comp.os.linux.security)
Re: Allowing DNS with iptables
... >>#Setting the EXTERNAL and INTERNAL interfaces for the network ... >># The location of various iptables and other shell programs ... This enables dynamic-address hacking ... >># remote interface, claiming to be local machines, IP spoofing, get lost ...
(comp.os.linux.security)
Re: Allowing DNS with iptables
... > #Setting the EXTERNAL and INTERNAL interfaces for the network ... > # The location of various iptables and other shell programs ... This enables dynamic-address hacking ... > # remote interface, claiming to be local machines, IP spoofing, get lost ...
(comp.os.linux.security)