Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables +port forwarding
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mchrk
n00b
n00b


Joined: 29 Mar 2006
Posts: 6
PostPosted: Wed May 31, 2006 6:42 pm    Post subject: iptables +port forwarding Reply with quote
Hello. I have my server as a router and everything goes trough it.
Everything works great EXCEPT that port forwarding doesn't work.
What I am trying to do is forward the port 6112 so I can play diablo 2 with a friend over tcp/ip :D
Well, here is my config, what is wrong all mighty folks?
eth0 is my external card.
eth1 is my internal card.
I want toforward port 6112 to 192.168.0.2.

Code:

#!/bin/sh
#
#

# set a few variables
echo ""
echo "  setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"

# adjust /proc
echo "  applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# setup nat
echo "  applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# blocking reserved private networks incoming from the internet
echo "  applying incoming internet blocking of reserved private networks"
echo ""
#$iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
#$iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth0 -s 192.168.0.0/24 -j DROP
$iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
#$iptables -I FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
#$iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth0 -s 192.168.0.0/24 -j DROP
$iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP

# icmp
echo "  applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP

# apply icmp type match blocking
echo "  applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

#open ports to everyone
echo "  applying *ports"
echo ""
$iptables -A INPUT -p tcp --dport 6001:6100 -j ACCEPT


# open ports to the internal machine(s)
$iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -m state --state NEW -j ACCEPT



# open and forward ports to the internal machine(s)
echo "  applying port forwarding rules"
echo ""
#$iptables -A FORWARD -i eth0 -p tcp --dport 6112 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p tcp -d MY_EXTERNAL_IP --dport 6112 -j DNAT --to-destination 192.168.0.2:6112
#$iptables -A FORWARD -i eth0 -p udp --dport 6112 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p udp -d MY_EXTERNAL_IP --dport 6112 -j DNAT --to-destination 192.168.0.2:6112

#$iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6112 -j DNAT --to 192.168.0.2:6112
$iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6112 -j DNAT --to 192.168.0.2:6112
$iptables -A PREROUTING -t nat -i eth0 -p udp --dport 6112 -j DNAT --to 192.168.0.2:6112

#$iptables -t nat -A PREROUTING -d MY_EXTERNAL_IP --dport 6112 -j DNAT --to 192.168.0.2:6112
#$iptables -t nat -A PREROUTING -d MY_EXTERNAL_IP --dport 4000 -j DNAT --to 192.168.0.2:4000


#$iptables -A FORWARD -i eth0 -p tcp --dport 4000 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p tcp -d MY_EXTERNAL_IP --dport 4000 -j DNAT --to-destination 192.168.0.2:4000
#$iptables -A FORWARD -i eth0 -p udp --dport 4000 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p udp -d MY_EXTERNAL_IP --dport 4000 -j DNAT --to-destination 192.168.0.2:4000



# drop all other packets
echo "  applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
echo ""
Back to top
View user's profile Send private message
salam
Apprentice
Apprentice


Joined: 29 Sep 2005
Posts: 227
PostPosted: Wed May 31, 2006 7:04 pm    Post subject: Reply with quote
i think this one:
#$iptables -A FORWARD -i eth0 -p tcp --dport 6112 -j ACCEPT
and this one:
#$iptables -A FORWARD -i eth0 -p udp --dport 6112 -j ACCEPT

allow NEW stated packets from the internet to be forwarded, so just uncomment them(or try to enter full accept rule to FORWARD as first one to be sure nothing is blocking the DNAT)
Back to top
View user's profile Send private message
mchrk
n00b
n00b


Joined: 29 Mar 2006
Posts: 6
PostPosted: Wed May 31, 2006 7:42 pm    Post subject: Reply with quote
It doesn't work with that =\
Back to top
View user's profile Send private message
mchrk
n00b
n00b


Joined: 29 Mar 2006
Posts: 6
PostPosted: Wed May 31, 2006 8:04 pm    Post subject: Reply with quote
I really don't know whats wrong. It seems that the only thing that doesn't work is forwarding.
Everything works great :s
Back to top
View user's profile Send private message
guero61
l33t
l33t


Joined: 14 Oct 2002
Posts: 811
Location: Behind you
PostPosted: Thu Jun 01, 2006 11:53 pm    Post subject: Reply with quote
Did you happen to turn on forwarding in the kernel?

Code:

sysctl net.ipv4.ip_forward=1
Back to top
View user's profile Send private message
mcgru
n00b
n00b


Joined: 01 Jun 2006
Posts: 2
Location: Tomsk, Russia
PostPosted: Fri Jun 02, 2006 1:49 am    Post subject: Reply with quote
guero61 wrote:
Did you happen to turn on forwarding in the kernel?

Code:

sysctl net.ipv4.ip_forward=1

Code:
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

do the same
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy