Slashdot Mirror
IPTables and Port Forwarding?
$hy_guy asks: "I have
been totally striking out finding some info on how to do port forwarding in
Linux. I am currently running Mandrake 8.1 as my router and i would like
to forward a particular port to another machine on my LAN. I'm pretty
sure I have to use iptables but I have been very unsuccesful at the proper
syntax. I have scoured through Google and I have not really found any
useful info. I would appreciate just a link or something to point me the
correct direction. Thanks for the help" I know many of you may think this
is an FAQ, but it seems that IPTables confuses many people as this is not
the first time this question has hit the bin. If someone has a good general
reference on the use of IPTables, please share.
I use MonMotha's IPTables script to build my firewall. You tell it which ports to leave open and it closes the rest. It also has stuff in there for rate limiting and stuff, I think. According to that page, the beta does port forwarding.
rooooar
Netfilter is extremely well documented... this poster must not have tried very hard.
t er-faq.html
# HOWTO
Home page: http://www.netfilter.org/
FAQs: http://www.netfilter.org/documentation/FAQ/netfil
Excellent HOWTOs: http://www.netfilter.org/documentation/index.html
This one's a bit easy:
Step one: go to http://www.netfilter.org
step two: find the HOWTO section
step three: fifth line of the HTML version of the NAT-HOWTO reads like this: This document describes how to do masquerading, transparent proxying, port forwarding, and other forms of Network Address Translations with the 2.4 Linux Kernels.
step four:Wait, there's no step four... there's no step four!
Quentin
It seems simple, but I'll bet that today's kids forget to use "howto" as a search parameter.
Go ahead, Google "iptables port forwarding" and see how much worse those results are.
This just goes to show that we need more basic user education. RTFM should be preceded by RTFH (Read The Fucking HOWTO!) so that people at least know what to look for when they're stumped.
Kids these days...
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
Heh... by coincidence, I just finished a project for the local hospital... I was coding a full-featured firewall based on Linux, and it had to integrate seamlessly with a WinNT network, including limiting 'net access by user name, and it had to work totally transparently for the users. Since a number of people in the hospital use Remotely Anywhere to connect from home, port forwarding became an issue for us.
The syntax for port forwarding is:
iptables -t nat -I PREROUTING -p <protocol> --dport <destination port> -j DNAT --to-destination <destination IP>:<destination port>
Note that you can remap port numbers, too, if need be (ie. traffic coming in on port 80 is redirected internally to port 5000).
Make sure you have the destination NAT target compiled in (I think it might be, by default), and make sure you enable all the NAT stuff you need.
if you want to get into the kernel's routing abilities, check http://ds9a.nl/lartc/HOWTO//cvs/2.4routing/output/ 2.4routing.html. this site is _the_ place to go for info on the subject. But if you want to keep it simple, stay with the suggested netfilter sites.
Yeah it's not as obvious as first, but it's actually pretty simple.
OK here's an example: our gateway is 192.168.0.1 with lan interface eth0 and internet interface eth1. We want to redirect port 21 (FTP) to the machine 192.168.0.10
First of all, we need to add a rule matching incoming data to port 21. We use the PREROUTING chain in the NAT table:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination 192.168.0.10
This says: in the network address translation table and the chain that deals with incoming data prior to routing, and if the data is coming in from the internet and wants to go to TCP port 21 (ftp), DNAT (destination network address translate) it to transparently make it go to 192.168.0.10
Here's a generic template:
iptables -t nat -A PREROUTING -i [net interface] [selection rules - proto, port] -j DNAT --to-destination [ip on lan]
You can also redirect to a different port number, in the above example to redirect to 192.168.0.10 port 321 it would be:
--to-destination 192.168.0.10:321
As for this being an FAQ, I am aware of no such references on IPTables, and it doesn't matter. I think the manual page provides more than sufficient information to get you started. If you don't understand it, then you should not be administering a gateway of any kind!
He apparently did it by IP address.
But there's another way:
owner
This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
--uid-owner userid
Matches if the packet was created by a process with the given effective user id.
--gid-owner groupid
Matches if the packet was created by a process with the given effective group id.
--pid-owner processid
Matches if the packet was created by a process with the given process id.
--sid-owner sessionid
Matches if the packet was created by a process in the given session group.
And with Iptables 1.2.5 you can even establish quotas per user.
Pleasee see my page with detailed instructions on how I did port forwarding on my Mandrake 8.1 box, which uses Bastille scripts to generate the Iptable rules.