# Forward ports to alias ip (iptables)

## dj_farid

I have one box with two NICs. One NIC has a public IP facing the Internet.

The other one is set up as this:

```
config_eth1=( "192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255"

"192.168.0.200 netmask 255.255.255.0 broadcast 192.168.0.255" )

```

I have rtorrent running on this box. Rtorrent is the only program running on 192.168.0.200.

When I run rtorrent I can see that it is binding this ip just the way I want it.

How do I open up ports to rtorrent from the Internet?

This does not work anymore, which did before I made the alias to bind rtorrent to:

```
$IPTABLES -A INPUT --protocol tcp --dport 31111:31115  -j ACCEPT

$IPTABLES -A INPUT --protocol udp --dport 31111:31115  -j ACCEPT
```

This does not work either(which I thought would):

```
$IPTABLES -t nat -A PREROUTING -p tcp --dport 31111:31115 -j DNAT --to-destination 192.168.0.200

$IPTABLES -t nat -A PREROUTING -p udp --dport 31111:31115 -j DNAT --to-destination 192.168.0.200
```

Please help explain why it is not connectable from Internet, and how to fix it.

----------

## pteppic

You may need to -A FORWARD rules too.

----------

## jcat

In fact, I don't believe you need the input rules for this, just the forwarding rules.  If it works without the the input rules then remove them.

Cheers,

jcat

----------

## bushvin

make sure packet forwarding is enabled

in /etc/sysctl.conf:

```
change net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1 
```

run if you changed the above:

```
sysctl -p
```

You'll need to activate masquerading

```
iptables -t nat -A POSTROUTING -o ethx -j MASQUERADE
```

Then you'll need to forward packets:

```
iptables -t nat -A PREROUTING -i ethx -p tcp --dport 31111:31115 -j DNAT --to 192.168.0.200

iptables -t nat -A PREROUTING -i ethx -p udp --dport 31111:31115 -j DNAT --to 192.168.0.200

iptables -A FORWARD -i ethx -p tcp --dport 31111:31115 -d 192.168.0.200 -j ACCEPT

iptables -A FORWARD -i ethx -p udp --dport 31111:31115 -d 192.168.0.200 -j ACCEPT

```

where ethx is your external nic

That'll be about it. this 'll work if you do not have a firewall. If you do have a firewall use -I <number> instead of -A to insert the iptables commands before the DROP rule.

Be carefull with this, as the above iptables rules will not safeguard you from the internet. That's a completely different story.

Will.

----------

## dj_farid

Thanks!

FORWARD seems to do it. That I understand now.

Do I need the PREROUTING --to-destination, since the interface is in the same local box?

(I did some tests, and it seems to be the same both with and without the PREROUTING)

I realize now that I have some reading up to do.

----------

## bushvin

The prerouting bit is used when you have configured your firewall to drop anything incoming at all.

If you do not do that, the PREROUTING bit takes care data sent to this specific service (ie port) can be forwarded to the host specified in it's destination.

At least, that's what I think it does, as I'm currently still reading up. So don't flame me if I'm wrong.

But besides that, I'm glad your problem it sorted.

Don't forget to put [SOLVED] in your message subject when it's solved.

Will.

----------

## dj_farid

If I do not have INPUT open for those ports, I can not connect with telnet to the rTorrent listening port. So I need to have INPUT accept.

If I do not have both FORWARD and PREROUTING, the torrent sites reports me as "not connectable".

I guess that I need to have them all three for things to work as supposed to.

I still do not understand this completely. The search for wisdom continues.

----------

## pteppic

Do a google search for iptables diagram, there are a few good ones around that explain the logic of how the chains are 'navigated' by packets.

----------

## dj_farid

Yeah I have seen several diagrams. For example the one on this page:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

Still I think it is a bit strange. In some way the packets are to/from the firewall, and in some cases they are not.

According to the diagram on that page, and the way I understood it earlier, is that a packet going through INPUT does not traverse FORWARD, ever.

Still I need to have INPUT in order to be able to connect to the open port. AND I need to have the ports FORWARD and PREROUTING in order for the bittorrent tracker to know that I am connectable.

Also all the packets generated by rtorrent seems to go out through OUTPUT (which I can buy since it's generated on the local machine). This means that the packets go out a different way than coming in, since they needed FORWARD to get in.

----------

## Hu

Packets destined to the local machine do not traverse FORWARD.  You do not need a FORWARD rule to allow packets to be received by a program running on the machine.  However, you do need to accept them in the PREROUTING chain.  If the packet is dropped in PREROUTING, then it never proceeds to INPUT or FORWARD.

On the other hand, if the program receiving the connection is inside the LAN, then the Gentoo machine doing NAT must allow the packet in PREROUTING and FORWARD, but does not need to allow the packet in INPUT.  In such a situation, the connection will be sent to the internal machine and that machine will be responsible for sending a SYN|ACK or RST as appropriate.

----------

## dj_farid

 *Hu wrote:*   

> Packets destined to the local machine do not traverse FORWARD.  You do not need a FORWARD rule to allow packets to be received by a program running on the machine.  However, you do need to accept them in the PREROUTING chain.  If the packet is dropped in PREROUTING, then it never proceeds to INPUT or FORWARD.
> 
> On the other hand, if the program receiving the connection is inside the LAN, then the Gentoo machine doing NAT must allow the packet in PREROUTING and FORWARD, but does not need to allow the packet in INPUT.  In such a situation, the connection will be sent to the internal machine and that machine will be responsible for sending a SYN|ACK or RST as appropriate.

 

This is exactly how I know it works if you have a normal setup with one box as the firewall and one box on the inside LAN.

Is rTorrent on the inside LAN since it is bound to 192.168.0.200? Or is it on the local machine since that is where the program is running?

To me it seems yes on both questions since I seem to use all three FORWARD, PREROUTING and INPUT.

----------

## Hu

It is on the local machine.  However, I have never seen a production setup where someone intentionally bound a server to an internal address that was meant to be externally visible.  If you want it to receive connections from the Internet, bind it to a public IP address or to the wildcard address.

----------

## dj_farid

The reason I have bound rtorrent to an internal ip is because I want to do some traffic shaping on the traffic sent by it.

It uses random high ports as a source port, so it is impossible to mark the traffic sent by it in another way (at least to my knowledge).

So far I think the setup works the way I want it to. I am not 100% confident on if the seeding of torrents is as effective as it used to be. There could be some dropped packets somewhere. But still it is working better than ever this way.

I would still like to understand how iptables looks at this all, and why I have to use all these different chains.

----------

