How to forward a port to an IP address?

Booting, installing, newbie
Post Reply
Message
Author
MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

How to forward a port to an IP address?

#1 Post by MaZZly »

internet -> modem(10.0.0.2) -> linuxEth0(10.0.05) -> linuxEth1(192.168.0.1) -> Xp machine(192.168.0.2)



I want to forward port XXXX to 192.168.0.2:XXX
how do i do that, I have googled and tried many variations on port forwarding with iptables.. i have run the firewall script from connection wizard and i have tried to add the iptables-forward-rules to the /etc/rc.d/rc.firewall file, and the /etc/rc.d/rc.firewall stop and start.. no success.

and i check the port by trying them here: http://connect.majestyc.net/
Last edited by MaZZly on Sun 23 Dec 2007, 11:54, edited 3 times in total.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#2 Post by mikeb »

I used the following before I got a router....

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward
put in /etc/rc.d/rc.local

to share the internet amongst a home network.
Never touched the firewall.
seemed to just work...
mike

MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#3 Post by MaZZly »

i tried that too (i didn't put those commands in the rc.local though, just activated them through console), but for some reason i could'nt load any site on the networked computers:
http://www.murga-linux.com/puppy/viewtopic.php?t=24541

and btw i want the other ports secured so thats why im having the rc.firewall script activated.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#4 Post by mikeb »

Hmm

can you give more details on the network setup for your machines..

have you had this network sharing the internet in windows?

can you ping the other machines?

mike

MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#5 Post by MaZZly »

eth0 is the ethcard connected to router and uses DHCP (i don't want the xp machine through router)
eth1 is the ethcard which the internal network is connected to and it's sharing internet to 192.168.0.1/24

the net is working fine now that i've set it up as i wrote in my other post, the thing i want to know is howto forward a specific port to a specific ip, while keeping the other ports(not forwarded) closed.
Last edited by MaZZly on Sat 29 Dec 2007, 10:43, edited 1 time in total.

MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#6 Post by MaZZly »

doesn't anybody know the iptables commands to forward ports?
by googling i've found many examples and everyone of them have differed a little, but none of them has worked.. :S

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#7 Post by mikeb »


MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#8 Post by MaZZly »

firelog doesnt help me with port forwarding.

what i need is
the iptables commands for port forwarding!

just one example for portforwarding so i can edit and add my own port forwards later on..

and i dont want any suggestions to get another distro made for firewalling/routing. or anything like that, just the iptables help or a program for puppy where i can put in the rules i want..

Jesse
Posts: 466
Joined: Sun 08 May 2005, 16:07
Location: Auckland, NZ

#9 Post by Jesse »

iptables port forwarding info, commands & examples

http://www.hackorama.com/network/portfwd.shtml

MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#10 Post by MaZZly »

so i tried:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.0.0.5 --dport 33187 -j DNAT --to 192.168.0.2:33187

iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 33187 -j ACCEPT

and:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d my.intenet.ip.addresse --dport 33187 -j DNAT --to 192.168.0.2:33187

iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 33187 -j ACCEPT

withoiut success, so what am i doing wrong?

Jesse
Posts: 466
Joined: Sun 08 May 2005, 16:07
Location: Auckland, NZ

#11 Post by Jesse »

Hi,

looks like your 'forward' command is trying to forward the packet via eth0 when it is eth1 that has the 192.168.0.x network.

maybe check the protocol is udp instead of tcp?

iptables man page is here, maybe its a better reference.
http://linux.die.net/man/8/iptables
read up all the option flags, see if they are correct for your network.

check that your iptables filters are what you asked, by listing them using 'iptables --list' command.

check ip tables is loaded in kernel with 'lsmod | grep ip', you should see 'iptables_filter' and 'ip_tables'.

Jesse

MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#12 Post by MaZZly »

this is my iptables -L now as i have reinstalled puppy and just run the .pup file described here: http://www.murga-linux.com/puppy/viewtopic.php?t=15129

Code: Select all

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             192.168.0.0/16      
ACCEPT     all  --  192.168.0.0/16       anywhere            
ACCEPT     all  --  anywhere             192.168.0.0/16      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

Jesse
Posts: 466
Joined: Sun 08 May 2005, 16:07
Location: Auckland, NZ

#13 Post by Jesse »

Hi,
Reading through iptables man page, it seems that the first rule that matches is used, although the wording is not exactly clear on that. Either way, try shifting all the anywhere/anywhere rules to the start or the end of the list.
I'd suggest a trial & error testing, start with a simple setup, with one thing at a time and test it and make sure all the components are working, then add in the next thing and repeat.
set the logging so you can see what rules are taking effect:
iptables --log-level LOG_DEBUG
and watch the log messages when they are generated:
tail -f /var/log/messages
I hope that helps.

I found this page, it has a tutorials section that looks very good.
http://www.netfilter.org/documentation/ ... tation-faq
especially this one:
http://www.justlinux.com/nhf/Security/I ... asics.html

Jesse

MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#14 Post by MaZZly »

i dont think the first rule is matched, couse i tried to set a forward rule as first rule in the FORWARD chain and nothing did change :S

MaZZly
Posts: 23
Joined: Fri 14 Dec 2007, 21:16

#15 Post by MaZZly »

i started wondering that when i put in some rule with -A PREROUTING, where do they go? i tried "iptables -L PREROUTING" but that told me that no chain matched by that name.. it seems like there is no PREROUTING chain or am i completly wrong?

Jesse
Posts: 466
Joined: Sun 08 May 2005, 16:07
Location: Auckland, NZ

#16 Post by Jesse »

yeah, I was wondering about those too...
man iptables wrote:...
Tables
There are currently three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).

-t, --table table
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there.

The tables are as follows:
...
nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
...
So the next obvious thing to try is:

Code: Select all

sh-3.00# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
sh-3.00# 
That Basics tutorial sets you up to understand how iptables works, even though it might seem non-relevant and overstating, its very clarifying too :) if you're interested in understanding "why&how" to make it work, its very recomended reading.
Jesse

Post Reply