iptables port forwarding on debian
Solution 1
Double-check with iptables -L -n -v --line, and with -t nat. What you did looks right to me. Also run tcpdump to see if you can see the TCP SYN och the outside (eth0) and on the inside (eth1) to make sure this is where it disappears.
"This is not working" is not a good description. What isn't working? Do you get timeout or connection refused?
Solution 2
Change:
# port forwarding to local machine
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.96
To:
# port forwarding to local machine
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT \
--to-destination 192.168.1.96:80
Related videos on Youtube
Anna
Trying to make affordable software for small and medium enterprises.
Updated on September 17, 2022Comments
-
Anna almost 2 years
I'm trying to setup a simple port forwarding firewall and I can't make the basic non-firewall configuration to work. I have setup the iptables script as follows
#!/bin/sh # interfaces LAN="eth1" WAN="eth0" # enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # delete all existing rules to start from scratch iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # accept everything iptables -A INPUT -j ACCEPT iptables -A FORWARD -j ACCEPT iptables -A OUTPUT -j ACCEPT # port forwarding to local machine iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.96 # masquerade iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
This script will not firewall anything but it should redirect port 80 on the gateway machine to my internal machine 192.168.1.96. This is not working. The problem is that I can't get from the outside into the inside machine. I don't even know how to start debugging. Any hints on where to look?
-
rkthkr about 15 yearsThe package needs to be "masqueraded" when it is going out on the wan...
-
fxmtor about 15 yearsNo, it's all right if the web server sees the actual IPs and if there are public IPs on the internal network. But the remote computer on the public Internet needs to see the public IP, not a private one.
-
fxmtor about 15 yearsIt doesn't need to include the ":80" in "192.168.1.96:80"; it just needs to include "192.168.1.96", since the port isn't changing.
-
rkthkr about 15 yearsvery true, but it's there for completeness.. :)
-
Thomas about 15 yearsActually, --to -> --to-destination added nothing either. It's the same command.
-
Neobyte about 15 yearsI guess you guys know better. :)
-
Anna about 15 yearsYou are right. This is what is hapenning. I can get from the outside to the inside and browse in my internal webserver (tomcat) for the first two pages. Once I need to enter login and password it just stops responding. I can browse from the internal pages without any problems.
-
Anna about 15 yearsBy the way, the pages after login timeout.
-
Thomas about 15 yearsCould it be because after logging in you are redirected to either https (port 443) or to the local (internal) ip address of the webserver?
-
Anna about 15 yearsAnother symptom. If I make my internal machine use the gateway machine to move traffic out, I can traceroute to www.google.com from 192.168.128.96 but I can't browse google because it just hangs waiting for a response.
-
Anna about 15 yearsAs for the redirection, when I replicate this setup with a linksys wireless router (I'm desperate) using it as a port router it works. This is what is leading me to believe that there is something wrong with my setup script.
-
Thomas about 15 yearsif you make your internal machine use the gateway machine [ as default gw]? You have to, or the DNAT won't work!