[Firewall] Problem with port forwarding and Arno's firewall

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Jul 14 10:03:57 CEST 2011


The problem is that you also need FORWARD rules to make this work since 
AIF blocks any FORWARD traffic by default. The preferred method, 
however, is to simply use AIF itself for the portforward. Generally one 
shouldn't be forced/encouraged to use custom-rules....

a.

On 07/06/2011 06:53 PM, Simon Chollet wrote:
> Hi there,
>
> I have a little problem setting a port forwarding rule with Arno's 
> iptables firewall.
>
> I want to redirect many connections from a main server (with public IP 
> of course) to other servers having public IPs too. The main server is 
> Ubuntu 11.04.
>
> The way I was doing that before installing the firewall was:
>
>    1. Check that /proc/sys/net/ipv4/ip_forward is set to '1'
>    2. iptables -t nat -A PREROUTING -p tcp --dport 2000 -j DNAT
>       --to-destination X.X.X.X:X (one time per redirection)
>    3. iptables -t nat -A POSTROUTING -j MASQUERADE
>
>
> It was working ok. But of course I needed a firewall on this machine. 
> I tried with ufw but I don't think it's made for fine tuned rules, so 
> I searched another iptables firewall and found Arno's.
>
> The way I'm now trying to set my redirections is in the custom-rules 
> file.   The file content is:
>
> iptables -t nat -A PREROUTING -p tcp --dport 2000 -j DNAT 
> --to-destination X.X.X.X:X
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
> If I check the nat rules (using iptables -t nat -L -v) I got:
>
> Chain PREROUTING (policy ACCEPT 559 packets, 57316 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>   570 57956 NAT_PREROUTING_CHAIN  all  --  any    any     anywhere     
>         anywhere
>    11   640 DNAT       tcp  --  any    any     anywhere             
> anywhere            tcp dpt:2000 to:X.X.X.X:X
>   559 57316 POST_NAT_PREROUTING_CHAIN  all  --  any    any     
> anywhere             anywhere
>
> Chain INPUT (policy ACCEPT 1 packets, 64 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>
> Chain OUTPUT (policy ACCEPT 375 packets, 74438 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>   375 74438 NAT_POSTROUTING_CHAIN  all  --  any    any     anywhere   
>           anywhere
>   375 74438 MASQUERADE  all  --  any    any     anywhere             
> anywhere
>     0     0 POST_NAT_POSTROUTING_CHAIN  all  --  any    any     
> anywhere             anywhere
>
> Chain NAT_POSTROUTING_CHAIN (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>
> Chain NAT_PREROUTING_CHAIN (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>
> Chain POST_NAT_POSTROUTING_CHAIN (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>
> Chain POST_NAT_PREROUTING_CHAIN (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>
> I tried to open or close the port (2000 here) in debconf, but I can't 
> have this to work in any way.
>
> Could you please tell me some advice if you see what's wrong? Do I 
> have to enable something more in firewall.conf?
>
> Thanks a lot in advance,
>
> Simon
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20110714/63f47e4c/attachment.html>


More information about the Firewall mailing list