# iptables forwarding traffic to another host

## dre2004

I'm trying to get iptables to forward traffic to another host. I've got two questions.

I'm just testing this on a box I have a home so I know how to get it working for when I need to do it at work.

1)  I have done the following but cant get traffic to forward

```

To enable forwarding...

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding

rule to forward anything coming in on port 80 to another host on my network

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.0.4:80

```

It doesnt seem to like that 

here are my policys 

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source  

iptables -t nat -L -n:

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.0.4:80

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

2) How can I see what iptables is doing in real time? do I enable logging or is there another way?

----------

## expat_iain

The following command will give counters for matched packets so you can observe which rules are being hit:

```
iptables -L -nv
```

----------

## gerdesj

 *dre2004 wrote:*   

> 2) How can I see what iptables is doing in real time? do I enable logging or is there another way?

 

Investigate "ulogd" for logging iptables.

I can highly recommend fwbuilder which will create the rules for you with a GUI and can use ulogd. 

Cheers

Jon

----------

## dre2004

 *Quote:*   

> I can highly recommend fwbuilder which will create the rules for you with a GUI and can use ulogd. 

 

It would be good to be able to use a gui but all the boxes I admin at work run headless, not to mention I only have ssh access to them. I will try ulogd to see if that helps and might also try using ethereal to see if it can shed some light.

----------

## casso

I think you need rules in the POSTROUTING chain, not PREROUTING. The target is MASQUERADE. Unfortunately I can't get the details for this at present, but at least give it a go and see what happens.

----------

## salam

i'd not use pure DNAT without any "-d" parameter as it would route traffic with any destination IP and dport 80(if it is a gateway,

if not, remember that also after DNAT, filter's FORWARD rule is still applied so the packet must be accepted there)

i'm not also sure with this: echo 1 > /proc/sys/net/ipv4/conf/all/forwarding, never heard of using it, try echo 1 > /proc/sys/net/ipv4/ip_forward

----------

## guero61

 *casso wrote:*   

> I think you need rules in the POSTROUTING chain, not PREROUTING. The target is MASQUERADE. Unfortunately I can't get the details for this at present, but at least give it a go and see what happens.

 

MASQUERADE is only useful & suggested if you have a dynamic IP and are doing outbound NAT (or PNAT, as Cisco likes to call it).

I personally like to use sysctl to enable forwarding, primarily because I can then set it in /etc/sysctl.conf and forget about it.

```

sysctl net.ipv4.ip_forward=1

```

```

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

```

That said, DNAT is only valid in the PREROUTING and OUTPUT chains, so you've got it right there.  If the sysctl bit doesn't work, I'd like to either see your iptables output again with the '-vn' flags added or all of /var/lib/iptables/rules-save after you've executed "/etc/init.d/iptables save".

Do note also that the iptables user-space stuff (ULOG, etc.) has been deprecated in 2.6.16+ in favor of using the new unified kernel<-->userland linker.  I don't know of anything on ulogd's level that takes advantage of that yet.

----------

## tutaepaki

How are you testing this? If you are coming from the 192.168.0 network, this this won't work.

----------

## enigma_0Z

OK, here's the question.

Looking at your rule, and with the question you asked, it is unclear what you want to accomplish. There are two different kinds of forwarding, external address forwarding (where an internal machine has a service you want to access from the Internet), and NAT forwarding (where you want internal computers to be able to access the internet). These two services can live together in perfect harmony. Go to 1 for external address forwarding, and 2 for NAT forwarding.

1. If you have a server in your internal network that you want to access from the outside world (ie. Internet), then

```
iptables -t nat -A PREROUTING -p <protocol, usu. tcp or udp> --dport <service port> -j DNAT --to-destination <dest. IP>:<dest. port>
```

What this does is IP Tables looks for connections coming into <service port>, and forwards them to <dest. IP>:<dest port>. Where:

<service port> is the port you want iptables to monitor, this can be a standard port, or an odd one.

<dest IP> is the IP address of the internal machine

<dest port> is the port to connect to on the internal machine.

This example forwards port 80 connections from the router to an internal webserver (also port 80).

Internal webserver at 172.16.16.16/16 router at 172.16.0.1/16

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.16.16.16:80
```

2. If you have computer(s) on a network that you want to have internet access then..

For a single computer

```
iptables -t nat -A POSTROUTING -s <IP addr>/32 -j MASQUERADE
```

For an entire subnet

```
iptables -t nat -A POSTROUTING -s <net addr>/<netmask> -j MASQUERADE
```

Netmask can be both a single number (CIDR Notation, I believe?), or a dotted quad (255.255.255.0, for example).

Using the same IP Addressing scheme, we want subnet 172.16.128.0/24 to be able to access the internet...

```
iptables -t nat -A POSTROUTING -s 127.16.128.0/24 -j MASQUERADE
```

---

That should help. Let us know what number you needed.

----------

