Please help! I've tried reading the IPTABLES man page and scoured Google,
but with no luck. I'm having trouble getting port forwarding to work...I'd
like requests that come in to my firewall on port 80 to be forwarded to the
private web host on port 8080.

I'm certain that two or three extra lines in /etc/sysconfig/iptables will
enable the functionality, but I've been unable to find the magic
incantations.

I have a pretty generic home office configuration. I'm running Red Hat 8
and iptables on the firewall. The firewall has its own static IP address on
an external Internet ethernet interface. It also has an internal interface
to the private non-routable network (10.x.x.x). I'm using Network Address
Translation to mask the private hosts behind the firewall. This is all
working well.

Now I've added a web server to my private network behind the firewall.
Here's an ASCII diagram of the network:

<INTERNET>
|
+--+--+
| DSL |
|modem|
+--+--+
|
external static IP (eth0)
+----+-----+
| Firewall |
| host |
+----+-----+
internal 10.0.0.1 (eth1)
|
+--+--+
| hub |
+--+--+
|
+-----------------+--------- . . .
| |
10.0.0.2 10.0.0.3
+----+-------+ +----+-----+
| Web Server | | Other |
|on port 8080| | machine |
+------------+ +----------+

Here are my current firewall rules from /etc/sysconfig/iptables.

----------------------------------------------------

*filter

# define the user-defined 'firewall' chain
-N firewall
# accept all mail connections on any interface for Sendmail/PostFix
# from any interface
# (note: 'mail' is defined in /etc/services, which iptables accepts)
-A firewall -p tcp -m tcp --dport mail -j ACCEPT
# accept all SSH connections from any interface
-A firewall -p tcp -m tcp --dport ssh -j ACCEPT
# accept all IMAPS connections on any interface (but not IMAP)
-A firewall -p tcp -m tcp --dport imaps -j ACCEPT
# accept all established and related connections from any interface
-A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept all new connections as long as they are not from eth0
# (ie, accept everything except from the Internet-facing interface)
-A firewall -m state --state NEW -i ! eth0 -j ACCEPT
# block everything else (eg, block the Internet-facing interface)
-A firewall -j DROP

# jump to that chain from the INPUT and FORWARD chains
-A INPUT -j firewall
-A FORWARD -j firewall

COMMIT

*nat
# change source addresses to <my_external_ip_addr>
-A POSTROUTING -o eth0 -j SNAT --to <my_external_ip_addr>

COMMIT

----------------------------------------------------

Many, many thanks for any help!

- Justin

Hi Justin,

I'm not at all an expert of iptables, but I have already done what you
want to do. I would suggest you these lines :

IPTABLES=/sbin/iptables
# The address translation
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT
--to 10.0.0.2:8080

Hope this helps you !

Aymeric

Justin Morgan <ebayuser3@mac.com> wrote in message news:<bhjve4$2qs$0@216.39.137.171>...
> Please help! I've tried reading the IPTABLES man page and scoured Google,
> but with no luck. I'm having trouble getting port forwarding to work...I'd
> like requests that come in to my firewall on port 80 to be forwarded to the
> private web host on port 8080.
>
> I'm certain that two or three extra lines in /etc/sysconfig/iptables will
> enable the functionality, but I've been unable to find the magic
> incantations.
>
> I have a pretty generic home office configuration. I'm running Red Hat 8
> and iptables on the firewall. The firewall has its own static IP address on
> an external Internet ethernet interface. It also has an internal interface
> to the private non-routable network (10.x.x.x). I'm using Network Address
> Translation to mask the private hosts behind the firewall. This is all
> working well.
>
> Now I've added a web server to my private network behind the firewall.
> Here's an ASCII diagram of the network:
>
> <INTERNET>
> |
> +--+--+
> | DSL |
> |modem|
> +--+--+
> |
> external static IP (eth0)
> +----+-----+
> | Firewall |
> | host |
> +----+-----+
> internal 10.0.0.1 (eth1)
> |
> +--+--+
> | hub |
> +--+--+
> |
> +-----------------+--------- . . .
> | |
> 10.0.0.2 10.0.0.3
> +----+-------+ +----+-----+
> | Web Server | | Other |
> |on port 8080| | machine |
> +------------+ +----------+
>
> Here are my current firewall rules from /etc/sysconfig/iptables.
>
> ----------------------------------------------------
>
> *filter
>
> # define the user-defined 'firewall' chain
> -N firewall
> # accept all mail connections on any interface for Sendmail/PostFix
> # from any interface
> # (note: 'mail' is defined in /etc/services, which iptables accepts)
> -A firewall -p tcp -m tcp --dport mail -j ACCEPT
> # accept all SSH connections from any interface
> -A firewall -p tcp -m tcp --dport ssh -j ACCEPT
> # accept all IMAPS connections on any interface (but not IMAP)
> -A firewall -p tcp -m tcp --dport imaps -j ACCEPT
> # accept all established and related connections from any interface
> -A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
> # accept all new connections as long as they are not from eth0
> # (ie, accept everything except from the Internet-facing interface)
> -A firewall -m state --state NEW -i ! eth0 -j ACCEPT
> # block everything else (eg, block the Internet-facing interface)
> -A firewall -j DROP
>
> # jump to that chain from the INPUT and FORWARD chains
> -A INPUT -j firewall
> -A FORWARD -j firewall
>
> COMMIT
>
> *nat
> # change source addresses to <my_external_ip_addr>
> -A POSTROUTING -o eth0 -j SNAT --to <my_external_ip_addr>
>
> COMMIT
>
> ----------------------------------------------------
>
> Many, many thanks for any help!
>
> - Justin

Hi Aymeric,
Many thanks for the response. Just before I received your message, I found
a web site that had some iptables configuration commands that worked for me.
It looks pretty similar to your lines, so probably both would work.

http://kreiger.linuxgods.com/kiki/?Port+forwarding+with+netfilter

- Justin

On 8/16/03 2:43 PM, in article
7d177a64.0308161343.1bf2a70e@posting.google.com, "Aymeric Duclert"
<aduclert@freesurf.fr> wrote:

> Hi Justin,
>
> I'm not at all an expert of iptables, but I have already done what you
> want to do. I would suggest you these lines :
>
> IPTABLES=/sbin/iptables
> # The address translation
> $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT
> --to 10.0.0.2:8080
>
> Hope this helps you !
>
> Aymeric
>
> Justin Morgan <ebayuser3@mac.com> wrote in message
> news:<bhjve4$2qs$0@216.39.137.171>...
>> Please help! I've tried reading the IPTABLES man page and scoured Google,
>> but with no luck. I'm having trouble getting port forwarding to work...I'd
>> like requests that come in to my firewall on port 80 to be forwarded to the
>> private web host on port 8080.
>>
>> I'm certain that two or three extra lines in /etc/sysconfig/iptables will
>> enable the functionality, but I've been unable to find the magic
>> incantations.
>>
>> I have a pretty generic home office configuration. I'm running Red Hat 8
>> and iptables on the firewall. The firewall has its own static IP address on
>> an external Internet ethernet interface. It also has an internal interface
>> to the private non-routable network (10.x.x.x). I'm using Network Address
>> Translation to mask the private hosts behind the firewall. This is all
>> working well.
>>
>> Now I've added a web server to my private network behind the firewall.
>> Here's an ASCII diagram of the network:
>>
>> <INTERNET>
>> |
>> +--+--+
>> | DSL |
>> |modem|
>> +--+--+
>> |
>> external static IP (eth0)
>> +----+-----+
>> | Firewall |
>> | host |
>> +----+-----+
>> internal 10.0.0.1 (eth1)
>> |
>> +--+--+
>> | hub |
>> +--+--+
>> |
>> +-----------------+--------- . . .
>> | |
>> 10.0.0.2 10.0.0.3
>> +----+-------+ +----+-----+
>> | Web Server | | Other |
>> |on port 8080| | machine |
>> +------------+ +----------+
>>
>> Here are my current firewall rules from /etc/sysconfig/iptables.
>>
>> ----------------------------------------------------
>>
>> *filter
>>
>> # define the user-defined 'firewall' chain
>> -N firewall
>> # accept all mail connections on any interface for Sendmail/PostFix
>> # from any interface
>> # (note: 'mail' is defined in /etc/services, which iptables accepts)
>> -A firewall -p tcp -m tcp --dport mail -j ACCEPT
>> # accept all SSH connections from any interface
>> -A firewall -p tcp -m tcp --dport ssh -j ACCEPT
>> # accept all IMAPS connections on any interface (but not IMAP)
>> -A firewall -p tcp -m tcp --dport imaps -j ACCEPT
>> # accept all established and related connections from any interface
>> -A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
>> # accept all new connections as long as they are not from eth0
>> # (ie, accept everything except from the Internet-facing interface)
>> -A firewall -m state --state NEW -i ! eth0 -j ACCEPT
>> # block everything else (eg, block the Internet-facing interface)
>> -A firewall -j DROP
>>
>> # jump to that chain from the INPUT and FORWARD chains
>> -A INPUT -j firewall
>> -A FORWARD -j firewall
>>
>> COMMIT
>>
>> *nat
>> # change source addresses to <my_external_ip_addr>
>> -A POSTROUTING -o eth0 -j SNAT --to <my_external_ip_addr>
>>
>> COMMIT
>>
>> ----------------------------------------------------
>>
>> Many, many thanks for any help!
>>
>> - Justin