# iptables forwarding to dmz fails [SOLVED]

## gondolin

I'm trying to forward http traffic from the internet ETH2 towards my dmz server ETH0 , but no luck.

```
## Incomming rules

# Allow only existing connections

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward port 8080 from from Internet (eth2) to DMZ (eth0)

iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 8080 -j DNAT --to IP-DMZ-SERVER:8080

# Allow only NEW from the internal network

#iptables -A INPUT -m state --state NEW -i ! eth1 -j LOG

iptables -A INPUT -m state --state NEW -i ! eth2 -j ACCEPT

# Allow only NEW on port  8080 from Internet (eth2) to DMZ (eth0)

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth2 -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT

## Internal to External rules

# Enable masquerading (natting) to allow LAN internet access

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

# Forward LAN traffic from eth0 to internet interface eth2

iptables -I FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Deny outgoing traffic for following IP's

# Drop all the rest

iptables -P INPUT DROP
```

Anyone that can help ?Last edited by gondolin on Sun Dec 10, 2006 10:19 am; edited 1 time in total

----------

## erik258

what's going on?  that is, what is the symptom?  which rules aren't working?

----------

## gondolin

I supose those two because i can't connect from the internet to my DMZ machine

iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 8080 -j DNAT --to IP-DMZ-SERVER:8080 

# Allow only NEW on port  8080 from Internet (eth2) to DMZ (eth0)

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth2 -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT

----------

## erik258

have you tried from outside your network?  what's your ip, let me hit port 8080 from here.

----------

## erik258

did you enable ip forwarding in kernel?

----------

## gondolin

Yes i have tried it from work, and forwording is enabled in the kernel, it works between Internet and LAN.

I'm checkpoint used at work so iptables at home, for the lan of but forwarding to dmz  :Sad: 

----------

## pteppic

What do you have in your FORWARD chain?

Try it (FORWARD) with these two too

```
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth2 -j ACCEPT 

 iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT
```

----------

## gondolin

yes i tried this already:

```
INT="eth2"

DMZ="eth0"

LAN="eth1"

DMZ_SRV="192.xxx.xxx.xxx"

# Flush all rules

iptables -F; iptables -t nat -F; iptables -t mangle -F

## Incomming rules

# Allow only existing connections

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward port 8080 from from Internet to DMZ

iptables -A PREROUTING -t nat -i ${INT} -p tcp --dport 8080 -j DNAT --to ${DMZ_SRV}:8080

# Allow only NEW from the LAN & DMZ network

iptables -A INPUT -m state --state NEW -i ! ${INT} -j ACCEPT

# Allow only NEW on port  8080 from Internet to DMZ

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i ${INT} -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i ${DMZ} -j ACCEPT

## Internal to External rules

# Enable masquerading (natting) to allow LAN internet access

iptables -t nat -A POSTROUTING -o ${INT} -j MASQUERADE

# Forward LAN traffic from eth0 to internet interface eth2

iptables -I FORWARD -i ${INT} -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop all the rest

iptables -P INPUT DROP

```

----------

## pteppic

You misunderstand, I mean use the rules in your FORWARD chain

```
iptables -A FORWARD -p tcp -m state --state NEW --dport 8080 -i ${INT} -j ACCEPT 

iptables -A FORWARD -p tcp -m state --state NEW --dport 8080 -i ${DMZ} -j ACCEPT 
```

----------

## erik258

why not post the output of iptables -L -v and iptables -t nat -L -v so that we all can see which chains are matching packets?

----------

## gondolin

Here we go, and still no luck.

But i don't see any traffic !!

```
Chain INPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

   61  4570 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

   36  2884 ACCEPT     all  --  !eth2  any     anywhere             anywhere            state NEW 

Chain FORWARD (policy ACCEPT 43M packets, 21G bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     tcp  --  eth2   eth0    anywhere             gondor              tcp dpt:http-alt 

    0     0 ACCEPT     tcp  --  eth2   any     anywhere             anywhere            state NEW tcp dpt:http-alt 

    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            state NEW tcp dpt:http-alt 

Chain OUTPUT (policy ACCEPT 1331K packets, 254M bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING (policy ACCEPT 960K packets, 79M bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DNAT       tcp  --  eth2   any     anywhere             anywhere            tcp dpt:http-alt to:172.16.0.2:8080 

Chain POSTROUTING (policy ACCEPT 192K packets, 14M bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 MASQUERADE  all  --  any    eth2    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 108K packets, 8443K bytes)

 pkts bytes target     prot opt in     out     source               destination         

       
```

Last edited by gondolin on Fri Dec 08, 2006 8:05 pm; edited 1 time in total

----------

## erik258

```
davey ~ # iptables -L -v

Chain INPUT (policy ACCEPT 2317K packets, 485M bytes)

 pkts bytes target     prot opt in     out     source               destination         

20460 7396K ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:smtp 

    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:smtp 

   89 17986 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:smtp 

 737K  402M ACCEPT     all  --  lo     any     anywhere             anywhere            

 128K   11M ACCEPT     all  --  ath0   any     anywhere             anywhere            

  26M 3633M ACCEPT     all  --  eth1   any     anywhere             anywhere            

    0     0 REJECT     udp  --  eth0   any     anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable 

    0     0 REJECT     udp  --  eth0   any     anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 

  388 35104 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:ssh 

37195 1805K DROP       tcp  --  eth0   any     anywhere             anywhere            tcp dpts:0:1023 

 630K  219M DROP       udp  --  eth0   any     anywhere             anywhere            udp dpts:0:1023 

Chain FORWARD (policy DROP 2828 packets, 174K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  eth1   eth1    anywhere             anywhere            

 140M   90G ACCEPT     all  --  any    any     192.168.0.0/16       anywhere            

    0     0 ACCEPT     all  --  eth1   any     192.168.0.0/16       anywhere            

    0     0 ACCEPT     all  --  ath0   any     192.168.0.0/16       anywhere            

 113M   97G ACCEPT     all  --  eth0   any     anywhere             192.168.0.0/16      

    0     0 ACCEPT     all  --  any    any     davey.spore.ath.cx   anywhere            

Chain OUTPUT (policy ACCEPT 29M packets, 4987M bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       tcp  --  any    eth0    localhost            anywhere            tcp dpt:courier 
```

and for nat...

```
davey ~ # iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 7137K packets, 940M bytes)

 pkts bytes target     prot opt in     out     source               destination         

36749 2203K DNAT       tcp  --  eth0   any     anywhere             anywhere            tcp dpt:ssh to:192.168.1.99:22 

 2720  152K DNAT       tcp  --  eth0   any     anywhere             anywhere            tcp dpt:http to:192.168.1.99:80 

    7   356 DNAT       tcp  --  eth0   any     anywhere             anywhere            tcp dpt:222 to:192.168.1.1:22 

   17   844 DNAT       tcp  --  eth0   any     anywhere             anywhere            tcp dpt:223 to:192.168.1.100:22 

Chain POSTROUTING (policy ACCEPT 206K packets, 12M bytes)

 pkts bytes target     prot opt in     out     source               destination         

2825K  226M MASQUERADE  all  --  any    eth0    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 157K packets, 9386K bytes)

 pkts bytes target     prot opt in     out     source               destination
```

----------

## gondolin

Its working, i have run my firewall script again and now i can login, thanks all for helping me

----------

