iptables port fowarding rules help ..RESOLVED

Fri Dec 15 20:54:49 UTC 2006

Hi list
I finaly resolved this ..port forwarding stuff .the  forwarding rule i 
had was assuming a source port ..and it was wrong and my personnal rule 
was keeping me from connecting to local PC with the anypc software

thanks to every one who helped me  get back one the  track

here is the hole iptable script to   NAT &PORT FORWARD (dnsmasq in 
already installed)

Mario Fréchette

#!/bin/sh
#
# Basic firewall & sharing connection + example of port forwarding
#
#inspired from Mjules_at_ifrance.com
#I did my best to translate correctly

start() {
# suppose  internet  interface is eth1

/sbin/ifup eth1

#empty all chains
iptables -F
#destruction of personnal rules
iptables -X

#default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#init of tables NAT & MANGLE (optional i dont have any MANGLE rules 
..but it does't bother here)
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# Accept local connection (between LAN process )
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

##########Example of port forwarding..here anyplace remote softw. 
forward to a local XP machine.###############
################ anyplace#####################################

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5279 -j DNAT --to 
192.168.123.107:5279
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4279 -j DNAT --to 
192.168.123.107:4279

iptables -A FORWARD -d 192.168.123.107 -p tcp --dport 5279 -j ACCEPT
iptables -A FORWARD -d 192.168.123.107 -p tcp --dport 4279 -j ACCEPT

########################end 
anyplace###############################################################

#here a personnal rule
iptables -N MAregle

#this rule accept new connection that does not ! come from the internet 
interface and accept all ESTABLISHED &
#RELATED connections

iptables -A MAregle -m state --state NEW -i! eth1 -j ACCEPT
iptables -A MAregle -m state --state ESTABLISHED,RELATED -j ACCEPT

#applies this personnal rule to connection sharing
iptables -A INPUT -j MAregle
iptables -A FORWARD -j MAregle

#forwarding activation in the kernel (without this nothing works )

echo 1 >/proc/sys/net/ipv4/ip_forward
#NAT activation to get through the internet ...a must too

iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -o eth1 -j MASQUERADE

########this last part is bash script to restart the internet interface 
if needed #################################
}

stop() {
        echo 0 >/proc/sys/net/ipv4/ip_forward
        ifdown eth1
}

case "$1" in
 start)
        start
        ;;

stop)
        stop
        ;;
restart)
        stop && start
        ;;
*)
        echo "Usage $0 {start|stop|restart}"
        exit 1
esac

exit 0

Hervé Fache a écrit :
> On 12/14/06, John L Fjellstad <john-ubuntu at fjellstad.org> wrote:
>   
>> Basically, your rule
>> iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport
>> 5279 \
>> --sport 5279 -j DNAT --to 192.168.123.107:5279
>>
>> says a tcp package coming in on interface eth1 with destination
>> xxx.xxx.xxx.xxx and destination port 5279 AND with source port 5279 gets
>> sent to 192.168.123.107 on port 5279
>>
>> I'm thinking this rule is too specific (does it really come from port
>> 5279?)
>>     
>
> And I did not see (but I looked very quickly) whether you had a rule
> to allow input of the port, like:
> iptables -A INPUT -i eth1 --dport 5279
> I remember doing port forwarding and needing both the  INPUT and
> FORWARD rules for it to work (but I have been wrong before ;-).
>
> HTH
> Hervé.
>   