# [SOLVED] iptables: port forwarding with nat.

## spielc

Hi,

After about a week of reading tutorials alot of trial-and-error tests i have to admit that i'm unable to get iptables port-forwarding in combination with nat to work correctly.

A bit of background: 

The router I am talking about is a Sheevaplug with two physical nics. eth0 is connected to the vdsl-modem (using PPPoE and such ppp0) and eth1 is connected to the lan. To make things even more complicated i have two OpenVPN-instances running on the machine using two tap-devices. As both vpns need access to different machines on our private network i have bridged eth1 and the two tap-devices. So far so good, this setup works, we can connect to the internet from the lan, vpns work...

Now i need to forward incoming traffic on port 26080 on the router to port 8080 on one of the machines from the lan. According to the Gentoo Home Router Guide all i need to do is to add the following rule to the nat-table:

```

iptables -t nat -A PREROUTING -p tcp --dport 26080 -i ppp0 -j DNAT --to 192.168.2.30:8080

```

From what i've read  this should be enough as i have a MASQUERADE-rule in the POSTROUTING chain of the nat-table. 

Here's the output of iptables-save -c

```

# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012

*raw

:PREROUTING ACCEPT [336265:256864207]

:OUTPUT ACCEPT [9756:1101524]

[66:7223] -A PREROUTING -p icmp -j TRACE

[311:44789] -A OUTPUT -p icmp -j TRACE

COMMIT

# Completed on Wed Feb  1 13:15:44 2012

# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012

*nat

:PREROUTING ACCEPT [293:41329]

:INPUT ACCEPT [55:3449]

:OUTPUT ACCEPT [33:2065]

:POSTROUTING ACCEPT [43:3655]

[1225028:81113949] -A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Wed Feb  1 13:15:44 2012

# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012

*mangle

:PREROUTING ACCEPT [105364366:73740951850]

:INPUT ACCEPT [3204495:404744888]

:FORWARD ACCEPT [101741178:73252162432]

:OUTPUT ACCEPT [3198766:931180232]

:POSTROUTING ACCEPT [104886136:74180895972]

[1012654:55992760] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

COMMIT

# Completed on Wed Feb  1 13:15:44 2012

# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012

*filter

:INPUT ACCEPT [129955:19544920]

:FORWARD ACCEPT [9830:549706]

:OUTPUT ACCEPT [303631:101201804]

[34:2616] -A INPUT -i lo -j ACCEPT

[1592451:178750222] -A INPUT -i br0 -j ACCEPT

[0:0] -A INPUT -i ppp0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

[37:2282] -A INPUT -i ppp0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

[59333:3023391] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP

[1046:83150] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP

[394:31264] -A FORWARD -s 10.0.35.0/24 -d 192.168.0.0/16 -i br0 -j DROP

[892728:106171023] -A FORWARD -s 10.0.35.0/24 -i br0 -j ACCEPT

[1392730:2052405192] -A FORWARD -d 10.0.35.0/24 -i ppp0 -j ACCEPT

[56969732:63452220677] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT

[40490039:6274773473] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT

COMMIT

# Completed on Wed Feb  1 13:15:44 2012

```

if this looks familiar to you don't wonder i've based almost everything on the Gentoo Home Router Guide...  :Wink:  And don't worry about the firewall being quite unsafe at the moment, i first want to get this thing going before i start locking everything down...

So is there anybody who has a clue what i'm overseeing here?

Thanks in advance,

Christoph

P.S. Another question: What do i have to do to get rules-tracing to work? I think i have loaded the necessary modules but whatever i do i don't get ANY output in my syslog

Here's the output of lsmod:

```

Module                  Size  Used by

nfnetlink_log           6751  0 

nfnetlink               2305  1 nfnetlink_log

xt_TRACE                 625  2 

iptable_raw              841  1 

ipt_LOG                 6204  0 

xt_state                 889  0 

af_packet              18276  2 

pppoe                   8806  2 

pppox                   1424  1 pppoe

ppp_generic            15293  6 pppoe,pppox

slhc                    4421  1 ppp_generic

bridge                 63602  0 

stp                     1234  1 bridge

llc                     3051  2 bridge,stp

tun                    12659  4 

ipt_MASQUERADE          1320  1 

iptable_nat             3129  1 

nf_nat                 12075  2 ipt_MASQUERADE,iptable_nat

nf_conntrack_ipv4       9933  3 iptable_nat,nf_nat

nf_conntrack           45097  5 xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4

nf_defrag_ipv4           913  1 nf_conntrack_ipv4

xt_TCPMSS               2117  1 

iptable_mangle           998  1 

ipt_REJECT              1855  2 

xt_tcpudp               1917  5 

iptable_filter           914  1 

ip_tables               9011  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter

x_tables               11080  12 xt_TRACE,iptable_raw,ipt_LOG,xt_state,ipt_MASQUERADE,iptable_nat,xt_TCPMSS,iptable_mangle,ipt_REJECT,xt_tcpudp,iptable_filter,ip_tables

nfs                   293298  1 

lockd                  50010  1 nfs

auth_rpcgss            32124  1 nfs

sunrpc                171655  12 nfs,lockd,auth_rpcgss

8021q                  13918  0 

asix                   11986  0 

usbnet                 12440  1 asix

mii                     3357  2 asix,usbnet

ehci_hcd               33411  0 

usbcore               106630  4 asix,usbnet,ehci_hcd

marvell                 5259  0 

mv643xx_eth            22080  0 

rtc_mv                  2634  0 

libphy                 13422  2 marvell,mv643xx_eth

mv_cesa                 8986  0 

unix                   20834  40 

```

----------

## truc

```
*nat

:PREROUTING ACCEPT [293:41329]

:INPUT ACCEPT [55:3449]

:OUTPUT ACCEPT [33:2065]

:POSTROUTING ACCEPT [43:3655]

[1225028:81113949] -A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT 
```

Can't see you dnat rule in here?

----------

## spielc

Duh! I seem to have removed the rule once again before i asked here... So here you go:

```

# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012

*raw

:PREROUTING ACCEPT [899915:568045437]

:OUTPUT ACCEPT [33221:3174869]

[173:16239] -A PREROUTING -p icmp -j TRACE

[1663:230900] -A OUTPUT -p icmp -j TRACE

COMMIT

# Completed on Thu Feb  2 08:25:03 2012

# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012

*nat

:PREROUTING ACCEPT [1120:128776]

:INPUT ACCEPT [360:24101]

:OUTPUT ACCEPT [265:19998]

:POSTROUTING ACCEPT [283:25061]

[0:0] -A PREROUTING -i ppp0 -p tcp -m tcp --dport 26080 -j DNAT --to-destination 192.168.2.30:8080

[1239887:82191791] -A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Thu Feb  2 08:25:03 2012

# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012

*mangle

:PREROUTING ACCEPT [105928016:74052133080]

:INPUT ACCEPT [3238532:407867910]

:FORWARD ACCEPT [102287197:73559100154]

:OUTPUT ACCEPT [3222232:933253773]

:POSTROUTING ACCEPT [105455623:74489907901]

[1021154:56454820] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

COMMIT

# Completed on Thu Feb  2 08:25:03 2012

# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012

*filter

:INPUT ACCEPT [159:21226]

:FORWARD ACCEPT [2:64]

:OUTPUT ACCEPT [534:64738]

[39:3028] -A INPUT -i lo -j ACCEPT

[1616173:180697032] -A INPUT -i br0 -j ACCEPT

[0:0] -A INPUT -i ppp0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

[37:2282] -A INPUT -i ppp0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

[59514:3032647] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP

[1076:84571] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP

[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

[394:31264] -A FORWARD -s 10.0.35.0/24 -d 192.168.0.0/16 -i br0 -j DROP

[893450:106288218] -A FORWARD -s 10.0.35.0/24 -i br0 -j ACCEPT

[1392766:2052416410] -A FORWARD -d 10.0.35.0/24 -i ppp0 -j ACCEPT

[57250422:63720748268] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT

[40753440:6313005739] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT

COMMIT

# Completed on Thu Feb  2 08:25:03 2012

```

----------

## Hu

 *spielc wrote:*   

> 
> 
> ```
> [0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> 
> ...

 In this context, you must specify the TCP port as seen post-NAT.  Since your NAT rule changes from 26080 on the Internet side to 8080 internally, you should use --dport 8080 here.

----------

## spielc

 *Hu wrote:*   

>  *spielc wrote:*   
> 
> ```
> [0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> 
> ...

 

Okey i changed the corresponding rule 

```

[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

```

but i am still unable to get a connection so i must be something missing here. 

I have another more general question:

Do i even need the rule from above? Because if you look at the output from iptables-save -c shouldn't this case be covered by this rule?

```

[57835076:64368677647] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT

```

I think it would be really helpful if i could get rule-tracing to work somehow

----------

## spielc

Damn it... Now i kinda feel stupid... I just tried to access the page from outside our local network via the public ip of the router and voíla now it works

Thanks for your help guys...

P.S. It would still be cool if one of the iptables-gurus could answer the questions from my earlier posts in this thread.

----------

## Hu

Since you ultimately allow any traffic from ppp0 to be forwarded, the rule I noted above is not required as-is.  However, since your configuration is insecure at the moment, I assumed you would be locking it down eventually and that the rule I noted would become important at that point.

----------

## spielc

 *Hu wrote:*   

> Since you ultimately allow any traffic from ppp0 to be forwarded, the rule I noted above is not required as-is.  However, since your configuration is insecure at the moment, I assumed you would be locking it down eventually and that the rule I noted would become important at that point.

 

Thanks for the explanation!

----------

