Firewall Wizards mailing list archives

Re: ipchains and port forwarding

From: "Robert E. Martin" <rmartin () fishburne org>
Date: Tue, 04 Mar 2003 08:38:55 -0500

Martin A. Brown wrote:

Robert,

Can you use iptables?  It'll be much easier with iptables:

 iptables -t nat -A PREROUTING -d 216.12.331.x -p tcp --dport 80 \
   -j DNAT --to-destination 192.168.0.10
 iptables -t filter -A FORWARD -d 192.168.0.10 -p tcp --dport 80 \
   -j ACCEPT

 for PORT in 25 110 ; do
   iptables -t nat -A PREROUTING -d 216.12.331.x -p tcp --dport $PORT \
     -j DNAT --to-destination 192.168.0.20
   iptables -t filter -A FORWARD -d 192.168.0.20 -p tcp --dport $PORT \
     -j ACCEPT
 done

Do you still want to use ipchains?  Do you have more than one IP?  Do you
want to do static NAT?  iproute2 is your friend:

 ip route add nat 216.12.31.Y via 192.168.0.10
 ip rule add nat 216.12.31.Y from 192.168.0.10

 ip route add nat 216.12.31.Z via 192.168.0.20
 ip rule add nat 216.12.31.Z from 192.168.0.20

 # -- add some ipchains here

I have some iproute2 help available here:

 http://linux-ip.net/html/
 http://linux-ip.net/html/nat-stateless.html

Do you still want to use ipportfw?  Ick.  I can't help you much there.

Ciao, good luck,

-Martin

: Hey guys!!
: I have just installed a dsl line and need to rebuild a firewall. I have
: decided to use ipchains and have a need to forward www and mail access
: into the private side of the new firewall. I am familiar with ipportfw
: and ipautofw commands. Is this all I need to do to get access to my web
: and mail server?
:
: ex: isp addr 216.12.31.x
: internal net : 192.168.0.x
: web server: 192.168.0.10
: mailserver: 192.168.0.20
:
: rules I've tried:
: /sbin/ipmasqadm portfw -a -P tcp -L 192.168.0.1 80 -R 192.168.0.10 80 -p 100
:
: Thanks!!
:

OK. That makes sense. I do have iproute2 working on the machine and Ican make sense of the documentation, however, will this technique workacross multiple segments? If I route through several subnets to get tothe physical web server box, will this still work or does the machineneed to be on the same physical subnet? I can go with iptables and itdoes seem much easier . I have considered this to be the thing to do andyou know what they say, no guts, no glory!


--
Robert E Martin
IT Manager
Fishburne Military School
rmartin () fishburne org
540.946.7726


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

ipchains and port forwarding Robert E. Martin (Mar 03)
- Re: ipchains and port forwarding Martin A. Brown (Mar 03)
  - Re: ipchains and port forwarding Robert E. Martin (Mar 04)
    - Re: ipchains and port forwarding Mike LaPane (Mar 04)
    - Re: ipchains and port forwarding Robert E. Martin (Mar 05)
- Re: ipchains and port forwarding Ted Behling (Mar 03)
- <Possible follow-ups>
- RE:ipchains and port forwarding Jake L. Wegman (Mar 04)