/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
On Sun, 2001-11-11 at 01:43, David Ranch wrote: > >every think work fine my internal computer goes to the Internet but i > >having a problem configure the iptables > >so it will PORT forward port 80 / 21 to local machine on my local > >lan. > > A new HOWTO will be released shortly that fixes a bug (missing > "NEW" option) in its PORTFW FTP example. > > Anyway, to do PORTFW under IPTABLES, add the following in addition > to your existing ruleset. (make sure you put these before any > DROP/REJECT rules) > > -- > #note: I cannot use -d $EXTIP as the rule never seems to match > # > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 21 -m state \ > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 21 \ > -j DNAT --to $PORTFWIP:21 > -- This will work for loose rulesets. However it only works with the NAT and FILTER tables. It is highly advisable to work toward a strong ruleset for your firewall. The first step in doing this is to change all policies to DROP and then get only what you need working. I have what I believe to be a fairly strong ruleset (at least stronger than anything else I've found). My script can be found at http://www.asgardsrealm.net. Here some of the port forwarding code from the script: <code> echo -n "Forwarding $EXT_F to $INT_F:" $IPTABLES -t filter -I FORWARD -p tcp -d $INT_IP \ --dport $INT_PORT -j ACCEPT && \ $IPTABLES -t filter -I FORWARD -p udp -d $INT_IP \ --dport $INT_PORT -j ACCEPT && \ $IPTABLES -t nat -I POSTROUTING -p tcp -d $INT_IP \ --dport $INT_PORT -j ACCEPT && \ $IPTABLES -t nat -I POSTROUTING -p udp -d $INT_IP \ --dport $INT_PORT -j ACCEPT && \ $IPTABLES -t mangle -I PREROUTING -p tcp -d $EXT_IP \ --dport $EXT_PORT -j ACCEPT && \ $IPTABLES -t mangle -I PREROUTING -p udp -d $EXT_IP \ --dport $EXT_PORT -j ACCEPT && \ $IPTABLES -t nat -I PREROUTING -p tcp -d $EXT_IP --dport $EXT_PORT \ -j DNAT --to-destination "$INT_IP:$INT_PORT" && \ $IPTABLES -t nat -I PREROUTING -p udp -d $EXT_IP --dport $EXT_PORT \ -j DNAT --to-destination "$INT_IP:$INT_PORT" && \ success $"Forwarding $EXT_F to $INT_F:" || \ failure $"Forwarding $EXT_F to $INT_F:" echo "" </code> Jamin W. Collins -- "Life is the art of drawing without an eraser." - John Gardner _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
