Home / server / Questions / 3626
Accepted
Henrik Paul
Asked: 2009-05-04 10:10:57 +0800 CST

Port forwarding with iptables and dhcpd

  • 772

The setup: I have a Linux (Gentoo, if that makes a difference) box that serves as a gateway for the whole apartment. This box does its NAT-magic with iptables and dhcpd.

The problem: I have a certain computer that I want to have a port forwarded to (for torrents, if, again, there's a difference).

I have just enough Linux administration skills to read howtos and get stuff configured properly (eventually), but the howtos I found for my case were too unclear and seemed to be unnecessarily complex.

For what I've gathered, my problem is twofold: getting the dhcpd reliably assign a certain static IP to the computer I want, and then getting iptables configured for the port forwarding.

Could someone give me a definite, step-by-step guide in how to do this? I'm sure I'm not the only one wanting to do this...

Edit: My versions of the software are:

# iptables --version
iptables v1.4.0

# dhcpd --version
isc-dhcpd-V3.1.1-Gentoo
linux dhcp port-forwarding iptables

2 Answers

  1. Best Answer

    To get dhcp to reliably assign a certain static IP to the computer you want, the usual thing to do is to look into how to tell your dhcp server (whichever one you're running) to statically map a mac address to an IP address. This will make it always hand out the same IP (that you specify) to that mac address.

    ISC dhcp needs a config stanza like

    host mycomputer {
  hardware ethernet 00:12:34:56:78:9A;
  fixed-address 192.168.1.10;
}

    dnsmasq needs a line like:

    dhcp-host=00:12:34:56:78:9A,192.168.1.10

    whose details are specified in the manpage.

    where:

    • mycomputer is your computer's hostname
    • 00:12:34:56:78:9A is your computer's mac address
    • 192.168.1.10 is the IP you want to be always assigned to that mac address

    Once that's done, you now have a 'static' IP to do your port forwarding to. To do this you want, as @Avery Payne says, to do:

    iptables -t nat -I PREROUTING -s ! {internal-network} -d {public-address} -p tcp --dport {port-on-public-address} -j DNAT --to-dest {internal-address}

    where:

    • internal-network is the IP address that represents your network, i.e. 192.168.1.0
    • internal-address is the IP address that represents the host you want to expose, i.e. 192.168.1.10
    • public-address is the IP address of the interface that is facing your ISP
    • port-on-public-address is the port number that traffic would arrive at if your internal computer could see it; note that this rule does not change the port number as it forwards, it simply passes the packet along

    Note the space between the -s, the exclamation mark, and {internal-network}, be sure to have a space on both sides.

    • 6

  2. iptables -t nat -I PREROUTING -s ! {internal-network} -d {public-address} -p tcp --dport {port-on-public-address} -j DNAT --to-dest {internal-address}

    where:

    • internal-network is the IP address that represents your network, i.e. 192.168.1.0
    • internal-address is the IP address that represents the host you want to expose, i.e. 192.168.1.2
    • public-address is the IP address of the interface that is facing your ISP
    • port-on-public-address is the port number that traffic would arrive at if your internal computer could see it; note that this rule does not change the port number as it forwards, it simply passes the packet along

    Note the space between the -s, the exclaimation mark, and {internal-network}, be sure to have a space on both sides.

    • 3