Port Forwarding

[Seth Dimbert]

Jeremy,

OT ranting aside, this is an *excellent* explanation of a complex process.
>From those of us who don't yet understand all of this stuff, "Thank you!"

Question: I've got a LinkSys 4-Port Router/Switch that I bought from Amazon
the week I got DSL. When I put the old Mac back into use by installing
Linux, I set it up to run Apache and used the Domain Redirection at
www.no-ip.com to serve pages from it, using Port Forwarding on the LinkSys.
It was easy: in the LinkSys Admin webpage, I simply sent port 80 to the
Linux Box's IP address.

That's the same process you've described here, right?

If so, I have another question. Since I upgraded the Firmware on the Router,
I've gained more options on the Forwarding Page (which used to be the "Port
Forwarding Page"). Now I can choose between:

 - The Default screen
 - UPnP Forwarding
 - Port Triggering

I've used UPnP Forwarding to allow packets to hit ports 80, 21, 22 and
10000, all on the TCP Protocol, not the UDP (whatever THAT is).

Can you - in your casual style - explain what some of these options mean?

-SD

On 1/13/03 6:36 PM, "Jeremy Fowler" <jfowler at westrope.com> wrote:

> It's not that the answer isn't out there. It's all a matter of asking the
> right
> question. Because your question, "How to forward an internal webserver as if
> it
> were on a 2.4 Kernel firewall using iptables?" Doesn't really make a lot of
> sense to me. So lets break it down:
> 
> "How to forward an internal webserver..."
> 
> Ok, you can't forward a webserver. You can forward packets to/from a webserver
> -
> but not a webserver.
> 
> "as if it"
> 
> It being what? The webserver?
> 
> Ok this next part make even less sense...
> 
> "were on a 2.4 Kernel firewall using iptables."
> 
> So what does a webserver have to do with the 2.4 Kernel firewall? How do you
> put
> a webserver on a 2.4 Kernel firewall with iptables? Umb, you can't... Iptables
> doesn't put webservers on 2.4 kernel firewalls... Just doesn't work that way.
> 
> So do you see the problem here? The question wasn't very clear and that is why
> your having problems finding an answer.
> 
> So, I'm going to attempt to answer your question, but I'm going to do it in
> the
> way I assume your question is trying to ask. Which is: How do you forward
> packets thru a netfilter firewall to an internal webserver? If so, why didn't
> you just say that?
> 
> <PS> I realize I'm being a dick here. I'm not in a very good mood for whatever
> reason and I thought I would blow some steam by answering your question like
> an
> asshole. I thought it would be funny and lift my spirits. Nothing personal,
> it's
> just your email caught my attention and now I'm picking on you. Besides,
> everyone needs their balls busted every once in a while... ;-P </PS>
> 
> So I'm assuming from your cryptic question that you would like to forward
> packets thru an iptables/netfilter firewall to a webserver that is inside your
> network. This is how you do it:
> 
> The feature you are looking for is called DNAT or Destination NAT. It's when
> you
> change the "destination" host of certain packets coming into the
> firewall/router. DNAT is handled in the PREROUTING chain of the nat table in
> netfilter. A sample rule looks like this:
> 
> #Public IP address of the firewall or Public IP of the HTTP server
> $EXTERNAL_IP="10.0.0.1"
> 
> #Internal IP address of the HTTP Server
> $HTTP_SERVER_IP="192.168.0.5"
> 
> iptables -t nat -A PREROUTING -i eth0 -p TCP -d $EXTERNAL_IP > --dport 80 -j DNAT 
--to-destination $HTTP_SERVER_IP
> 
> 
> So this rules says, any TCP packets with a destination port of 80 coming in on
> interface eth0 destined for external IP 10.0.0.1 is DNATed or forwarded to the
> HTTP server which has an IP address of 192.168.0.5. We limit the packets to
> only
> be TCP packets, we make sure the packet is coming in on the external (public)
> interface eth0, we make sure that the packet's destination IP is 10.0.0.1
> (just
> in case we alias more than one IP to an interface), and of course we make sure
> the protocol is HTTP so the destination port has to be 80. Now you very well
> could have just used:
> 
> iptables -t nat -A PREROUTING --dport 80 -j NAT --to-destination
> $HTTP_SERVER_IP
> 
> Which means any packet (UDP or TCP) with a destination port of 80 coming in on
> any interface no matter the IP it was destined for is forwarded to
> 192.168.0.5.
> Which is a pretty broad rule and a bad idea. The first rule is better because
> it
> limits the packets being forwarded and gives you better control of the
> forwarding.
> 
> I hope that helps. -Jer ;-)
> 
> 
>> -----Original Message-----
>> From: owner-kclug at marauder.illiana.net
>> [mailto:owner-kclug at marauder.illiana.net]On Behalf Of Jonathan Hutchins
>> Sent: Sunday, January 12, 2003 3:25 PM
>> To: 'kclug at kclug.org'
>> Subject: Port Forwarding
>> 
>> 
>> Boy, it's amazing how many people have asked the same question: how to
>> forward an internal webserver as if it were on a 2.4 Kernel firewall using
>> iptables.  You'll get pages of hits on Google's usenet archives.
>> 
>> Very few of the queries have answers.  Mostly the answers are "like, I'm
>> still running Windows, but I think you need ipchains for that".
>> 
>> I'm running a firewall script derived from David Ranch's Trinity OS Project,
>> and I've written him to see if he's willing to provide an example script.
>> Who knows?  A question this big deserves an answer.
>> 
>> 
> 
> 
> 
> 
>