# iptables port 80 forwarding to private network machine

## krovisser

I've been having trouble setting up a webserver on machine on my private network. I have a Gentoo box as my router.

eth0 - internet

eth1 - private lan (1.1.1.0/24)

I would like to forward all port 80 traffic to a specific address on the LAN: 1.1.1.7. So far I have been unable to get it working. Apache2 is up and running and visible going through the LAN ip.

Here are my settings so far (with some duplicates from my attempts):

```

# Generated by iptables-save v1.4.12.1 on Sun Feb 19 11:33:56 2012

*nat

:PREROUTING ACCEPT [43:2469]

:INPUT ACCEPT [30:1793]

:OUTPUT ACCEPT [23:1891]

:POSTROUTING ACCEPT [3:603]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 1.1.1.7:80

-A PREROUTING -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j DNAT --to-destination 1.1.1.7:80

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Sun Feb 19 11:33:56 2012

# Generated by iptables-save v1.4.12.1 on Sun Feb 19 11:33:56 2012

*filter

:INPUT ACCEPT [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [27:2348]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth1 -j ACCEPT

-A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

-A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i eth0 -p tcp -m tcp --dport 225 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 8834 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 2049 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 49152 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 49153 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP

-A INPUT -i eth0 -p udp -m udp --dport 0:1023 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT

-A FORWARD -s 1.1.1.0/24 -i eth1 -j ACCEPT

-A FORWARD -d 1.1.1.0/24 -i eth0 -j ACCEPT

-A FORWARD -d 1.1.1.7/32 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT

-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Sun Feb 19 11:33:56 2012

```

Is there a way to log/track where the packets get lost? I also have a webserver running on the router on port 8080, and it shows up fine. I really think it's the forwarding part.

----------

## Kaso_da_Zmok

Yes, you want to use the "-j LOG"

Usually you will put it at the end of the table to log anything that will be dropped but you can create rules that will log whatever you want.

http://www.microhowto.info/troubleshooting/troubleshooting_iptables.html#id2680761Last edited by Kaso_da_Zmok on Sun Feb 19, 2012 10:07 pm; edited 1 time in total

----------

## Hu

What do you see if you run tcpdump -i eth0 -n 'tcp and port 80' on the gateway before you test the connection?

----------

## krovisser

 *Hu wrote:*   

> What do you see if you run tcpdump -i eth0 -n 'tcp and port 80' on the gateway before you test the connection?

 

tcpdump -i eth0 -n 'tcp and port 80' > dump.txt

```

22:21:12.641530 IP x.y.217.58.9602 > q.w.197.58.80: . 1144334288:1144334289(1) ack 61658075 win 66

22:21:12.689577 IP q.w.197.58.80 > x.y.217.58.9602: . ack 1 win 7103 <nop,nop,sack 1 [|tcp]>

22:21:15.412153 IP x.y.217.58.9737 > t.g.227.132.80: P 1327719144:1327720372(1228) ack 982588039 win 66

22:21:15.472927 IP t.g.227.132.80 > x.y.217.58.9737: . ack 1228 win 243

22:21:15.632200 IP t.g.227.132.80 > x.y.217.58.9737: . 1:1431(1430) ack 1228 win 243

22:21:15.632544 IP t.g.227.132.80 > x.y.217.58.9737: . 1431:2861(1430) ack 1228 win 243

22:21:15.632562 IP t.g.227.132.80 > x.y.217.58.9737: P 2861:3024(163) ack 1228 win 243

22:21:15.634542 IP x.y.217.58.9737 > t.g.227.132.80: . ack 3024 win 67

22:21:15.639511 IP x.y.217.58.9748 > t.g.31.120.80: S 4080867910:4080867910(0) win 8192 <mss 1460,[|tcp]>

22:21:15.820543 IP t.g.31.120.80 > x.y.217.58.9748: S 2346081148:2346081148(0) ack 4080867911 win 5720 <mss 1430,[|tcp]>

22:21:15.821406 IP x.y.217.58.9748 > t.g.31.120.80: . ack 1 win 17160

22:21:15.821923 IP x.y.217.58.9748 > t.g.31.120.80: P 1:373(372) ack 1 win 17160

22:21:16.006325 IP t.g.31.120.80 > x.y.217.58.9748: . ack 373 win 6432

22:21:16.006800 IP t.g.31.120.80 > x.y.217.58.9748: P 1:216(215) ack 373 win 6432

22:21:16.207701 IP x.y.217.58.9748 > t.g.31.120.80: . ack 216 win 16945

15 packets captured

15 packets received by filter

0 packets dropped by kernel

```

----------

## Hu

It looks to me like the connection succeeded.  x.y.217.58 SYN'd to t.g.31.120, got a SYN|ACK back, and ACK'd the SYN|ACK.  Connection successful.  What do you see that makes you think this does not work?

----------

## krovisser

Thanks. That tcpdump is from when I tried it on a LAN computer. I also just tried it from "off-site" and it works (displays the webpage). However, I'm getting "unable to connect" from within my local network, despite the responses logged above.

I think I need to add a rule for internal traffic....

----------

## Anarcho

 *krovisser wrote:*   

> 
> 
> ```
> 
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 1.1.1.7:80
> ...

 

The second rule will never be applied as it is a subset of the first one, so you can omit it.

What is missing is a rule for the internal network as you have the "-i eth0" match which will only match external packets. So add another rule with "-i eth1".

----------

## krovisser

 *Anarcho wrote:*   

>  *krovisser wrote:*   
> 
> ```
> 
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 1.1.1.7:80
> ...

 

I've removed the near duplicate rule.

But, when I run

```
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 1.1.1.7:80 
```

I cannot access any website. It's like it redirects all port 80 traffic.

----------

## Anarcho

You should also add the destination IP to this rule, otherwise it redirects all traffic, correct. The destination IP should be the IP of the server I guess. You should also add this to the other rule.

----------

