[PLUG] Iptables Nat Port Forwarding

LeRoy Cressy on 8 Apr 2004 14:27:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Iptables Nat Port Forwarding

From: LeRoy Cressy <ldc@lrcressy.com>

To: plug@lists.phillylinux.org

Subject: [PLUG] Iptables Nat Port Forwarding

Date: Thu, 08 Apr 2004 10:24:39 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031107 Debian/1.5-3

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Last night there was a question about how to get port 22 to automatically be forwarded to a machine inside a firewall to a private address.

DMZ="eth2" ## DMZ Ethernet Connection EXT="eth0" ## Internet Ethernet Connection

# Create a block chain in the filter table iptables -N block

iptables -A block -m state --state NEW -p tcp -i $EXT --dport 22 \ -m limit --limit 1/hour -j LOG --log-level info \ --log-prefix "SSH login Request " iptables -A block -m state --state NEW -p tcp -i $EXT --dport 22 \ -j ACCEPT

# Set up the ip forwarding for the local network to get to the outside:

iptables -t nat -A POSTROUTING -o $EXT -p tcp -s 192.168.1.0/24 \ --dport 22 -j SNAT --to $RealIP

# This is important for ssh iptables -t nat -A POSTROUTING -o $EXT -p tcp -s 192.168.1.0/24 \ --dport 1024 -j SNAT --to $RealIP

# Allow these ports from the outside to be forwarded to the appropriate # machine:

iptables -t nat -A PREROUTING -i $EXT -p tcp --dport 22 \ -j DNAT --to 192.168.10.1

# Link together the filter INPUT and FORWARD chains to your block # chain iptables -A INPUT -j block

iptables -A FORWARD -j block

I realize that this these few rules are not very clear, but they work. Here is a little explanation:

1. When you are doing NAT along with port forwarding a packet entering the firewall encounters the nat PREROUTING chain, which assigns it the destination address DNAT

2. Then the packet encounters the fileter FORWARD chain which either allows it to pass ACCEPT or drops it DROP.

3. For the response, the nat POSTROUTING chain needs to have the source address SNAT set for the packets coming from the private network. For ssh sometime long ago I read that port 1024 in involved.

Hope that this helps

LeRoy :-)

- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ < FAX: 215-535-4285

gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA

For info on enigmail: http://lrcressy.com/linux/mozilla.pdf For info on gpg: http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFAdWCvP+/m2oUBr+oRAvHnAJ492df2g+YaUVy3OjcNawriqjYGAQCfU3xK LowawnO5lrzH3dYA5g4INik= =zfxr -----END PGP SIGNATURE-----

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] Iptables Nat Port Forwarding
From: "Michael C. Toren" <mct@toren.net>

Prev by Date: Re: [PLUG] story of the 419 scammer/spammer being caught

Next by Date: [PLUG] non-free books [Ad for AW/PH]

Previous by thread: Re: [PLUG] story of the 419 scammer/spammer being caught

Next by thread: Re: [PLUG] Iptables Nat Port Forwarding

Index(es):

Date

Thread