[Masq] Port forwarding

[Uwe Kubosch]

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */

Hi all!

I've been trying to get port forwarding to work on my RH7.2 router for some
time now, but it just doen't seem to happen.  I've read the "Linux IP
Masquerade HOWTO" and lots of other docs and examples, but still no effect.

I have masquerading working fine now with iptables, earlier with ipchains.
In neither iptables nor ipchains could I get port forwarding to work.

I am trying to do some pretty common port forwarding: fowarding http traffic
on port 80 _AND_ 81 to an internal http server on IP 192.168.0.2 port 80.  I
include my current script at the bottom of this mail.

I hope someone can help me.  Any help is greatly appreciated.  I'm not sure
what information i should include to make it easier to help, but I have
included some below.


With kind regards,
Uwe Kubosch


[EMAIL PROTECTED] root]# lsmod
Module                  Size  Used by    Not tainted
ip_nat_irc              3296   0  (unused)
ip_nat_ftp              3968   0  (unused)
ip_conntrack_irc        3456   0  (unused)
ip_conntrack_ftp        4608   0  (unused)
ipt_REJECT              3680   1  (autoclean)
ipt_LOG                 4288   2  (autoclean)
ipt_state               1056   4  (autoclean)
iptable_mangle          2848   0  (autoclean) (unused)
iptable_filter          2368   1  (autoclean)
ipt_MASQUERADE          2176   1
iptable_nat            19156   3  [ip_nat_irc ip_nat_ftp ipt_MASQUERADE]
ip_conntrack           19948   4  [ip_nat_irc ip_nat_ftp ip_conntrack_irc
ip_conntrack_ftp ipt_state ipt_MASQUERADE iptable_nat]
ip_tables              13984   9  [ipt_REJECT ipt_LOG ipt_state
iptable_mangle iptable_filter ipt_MASQUERADE iptable_nat]
autofs                 11044   0  (autoclean) (unused)
3c509                  11520   2
ext3                   64960   2
jbd                    47220   2  [ext3]


[EMAIL PROTECTED] root]# ls -w 80 /proc/sys/net/ipv4/
conf                               ipfrag_time            tcp_mem
icmp_echo_ignore_all               ip_local_port_range    tcp_orphan_retries
icmp_echo_ignore_broadcasts        ip_nonlocal_bind       tcp_reordering
icmp_ignore_bogus_error_responses  ip_no_pmtu_disc
tcp_retrans_collapse
icmp_ratelimit                     neigh                  tcp_retries1
icmp_ratemask                      route                  tcp_retries2
igmp_max_memberships               tcp_abort_on_overflow  tcp_rfc1337
inet_peer_gc_maxtime               tcp_adv_win_scale      tcp_rmem
inet_peer_gc_mintime               tcp_app_win            tcp_sack
inet_peer_maxttl                   tcp_dsack              tcp_stdurg
inet_peer_minttl                   tcp_ecn                tcp_synack_retries
inet_peer_threshold                tcp_fack               tcp_syncookies
ip_autoconfig                      tcp_fin_timeout        tcp_syn_retries
ip_conntrack_max                   tcp_keepalive_intvl    tcp_timestamps
ip_default_ttl                     tcp_keepalive_probes   tcp_tw_recycle
ip_dynaddr                         tcp_keepalive_time     tcp_tw_reuse
ip_forward                         tcp_max_orphans        tcp_window_scaling
ipfrag_high_thresh                 tcp_max_syn_backlog    tcp_wmem
ipfrag_low_thresh                  tcp_max_tw_buckets


[EMAIL PROTECTED] root]# grep "" /proc/sys/net/ipv4/ip_*
/proc/sys/net/ipv4/ip_autoconfig:0
/proc/sys/net/ipv4/ip_conntrack_max:2560
/proc/sys/net/ipv4/ip_default_ttl:64
/proc/sys/net/ipv4/ip_dynaddr:1
/proc/sys/net/ipv4/ip_forward:1
/proc/sys/net/ipv4/ip_local_port_range:1024     4999
/proc/sys/net/ipv4/ip_no_pmtu_disc:0
/proc/sys/net/ipv4/ip_nonlocal_bind:0




[EMAIL PROTECTED] root]# cat /etc/rc.firewall-2.4
#!/bin/sh

depmod -a

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

modprobe ipt_MASQUERADE

iptables -F;
iptables -t nat -F;
iptables -t mangle -F;

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 81 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j DNAT --to
192.168.0.2:80
iptables -t nat -A PREROUTING -p tcp --dport 81 -i eth0 -j DNAT --to
192.168.0.2:80

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT

iptables -A INPUT  -p UDP --sport 67 --dport 68  -j DROP

iptables -A INPUT -j LOG --log-prefix "New not syn:"

iptables -P INPUT DROP #only if the first two are succesful
iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try to
route:"
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.