I'm trying to setup a simple port forwarding firewall and I can't make the basic non-firewall configuration to work. I have setup the iptables script as follows
#!/bin/sh
# interfaces
LAN="eth1"
WAN="eth0"
# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# delete all existing rules to start from scratch
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# accept everything
iptables -A INPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT
# port forwarding to local machine
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.96
# masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
This script will not firewall anything but it should redirect port 80 on the gateway machine to my internal machine 192.168.1.96. This is not working. The problem is that I can't get from the outside into the inside machine. I don't even know how to start debugging. Any hints on where to look?
Change:
To:
Double-check with iptables -L -n -v --line, and with -t nat. What you did looks right to me. Also run tcpdump to see if you can see the TCP SYN och the outside (eth0) and on the inside (eth1) to make sure this is where it disappears.
"This is not working" is not a good description. What isn't working? Do you get timeout or connection refused?
I don't know what version of iptables you're running, but under v1.3.5, you need to have --to-destination instead of --to.
I think your last line should be
Note LAN, not WAN.
I'm normally setting this up with IPs instead of interfaces. Please try the following:
and set the
$EXT_IPof course.