# routing "internal" connections with iptables

## pid

Currently my Webstack is running inside a qemu-KVM guest on my dedicated server, networking is done via NAT, the PREROUTING Rules work well, every outside traffic on port 80/443 is routed to the internal ip (192.168.100.1) of my Guest. The thing i cant figure out is how to reach the httpd internally, from the Host and Guest - which is bad, because a Squid that needs local access is running on the Host.

So, when trying to access the httpd using "GET <mydomain>" from both systems, i get a "Connection refused", as on the Host there is no httpd running anymore.

What im trying to achieve now, is that all Connections from aforementioned Systems (Host/Guest) with the destination $my_wan_ip , localhost and $my_internal_host_ip on port 80 & 443 get routed to the httpd running inside the KVM-Container, exactly as it works when connecting from outside.

```
iptables -t nat -A PREROUTING -p tcp -i lo --dest $my_wan[/internal]_ip [or localhost] --dport 80 -j DNAT --to-destination 192.168.100.1:80
```

doesnt work.

a legend on my Networksetup: tap0 is the Guests Network Device, br0 the bridge connecting to eth0, the Hosts internal ip is 192.168.100.254.

As you can see my knowledge on the S/DNAT rules is somewhat limited as of now, any suggestions on the issue? Could a FORWARD-Rule be sufficient? If so, which one?

Id be thankful for any advice/hint in the right direction - the iptables command i need to issue would be awesome!

----------

## mp342

I'm not sure iptables is able to do level 2 filtering as is.

You need some advanced configurations to do a transparent firewall.

----------

## Hu

OP: please post the full output of iptables-save -c.  You may blank out the WAN IP if you wish, but we need to see the loaded rules, not some general guesses as to how they might need to be.

----------

## pid

```
# iptables-save -c                

# Generated by iptables-save v1.4.12.1 on Thu Sep 29 04:15:17 2011

*nat

:PREROUTING ACCEPT [12390:740694]

:INPUT ACCEPT [12152:727563]

:OUTPUT ACCEPT [17353:1074018]

:POSTROUTING ACCEPT [13376:805796]

[49486:2691400] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80

[5295:285528] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.100.1:443

[58:3384] -A PREROUTING -i eth0 -p tcp -m tcp --dport 55021 -j DNAT --to-destination 192.168.100.1:21

[361271:23342767] -A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Thu Sep 29 04:15:17 2011

# Generated by iptables-save v1.4.12.1 on Thu Sep 29 04:15:17 2011

*mangle

:PREROUTING ACCEPT [1146013853:921521065787]

:INPUT ACCEPT [1130733439:907298980340]

:FORWARD ACCEPT [15277245:14221911464]

:OUTPUT ACCEPT [1427835961:1772979148216]

:POSTROUTING ACCEPT [1443112701:1787201015240]

COMMIT

# Completed on Thu Sep 29 04:15:17 2011

# Generated by iptables-save v1.4.12.1 on Thu Sep 29 04:15:17 2011

*filter

:INPUT DROP [7760:2717027]

:FORWARD ACCEPT [9380540:8434907176]

:OUTPUT ACCEPT [197868227:255189820736]

[55452595:134475515326] -A INPUT -i lo -j ACCEPT

[1985357:377964181] -A INPUT -s 192.168.100.0/24 -j ACCEPT

[1061553558:768897226211] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[11732:656262] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

[289:19228] -A INPUT -p tcp -m tcp --dport 65022 -j ACCEPT

[409431:20329197] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

[386:20076] -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

[821:52320] -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

[15231:848772] -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

[2808:158021] -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT

[15804:823284] -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

[2634:136954] -A INPUT -p tcp -m tcp --dport 65021 -j ACCEPT

[1520:80626] -A INPUT -p tcp -m tcp --dport 45565 -j ACCEPT

[12864:646564] -A INPUT -p tcp -m tcp --dport 65128 -j ACCEPT

[283:14884] -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT

[16:936] -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT

[2:92] -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

[18928:989148] -A INPUT -p tcp -m tcp --dport 27000:28000 -j ACCEPT

[6:304] -A INPUT -p tcp -m tcp --dport 65080 -j ACCEPT

[8561320:862866803] -A INPUT -p tcp -m tcp --dport 33433:33583 -j ACCEPT

[45960:2909757] -A INPUT -p udp -m udp --dport 33433:33583 -j ACCEPT

[0:0] -A INPUT -p udp -m udp --dport 4446 -j DROP

[32:10752] -A INPUT -p udp -m udp --dport 67 -j DROP

[8:2624] -A INPUT -p udp -m udp --dport 68 -j DROP

[0:0] -A INPUT -p udp -m udp --dport 6780 -j DROP

[0:0] -A INPUT -p udp -m udp --dport 6781 -j DROP

[0:0] -A INPUT -p udp -m udp --dport 9982 -j DROP

[0:0] -A INPUT -p tcp -m tcp --dport 9982 -j DROP

[0:0] -A INPUT -p udp -m udp --dport 5678 -j DROP

[0:0] -A INPUT -p udp -m udp --dport 17500 -j DROP

[0:0] -A INPUT -p udp -m udp --dport 138 -j DROP

[0:0] -A INPUT -s 129.82.138.38/32 -p icmp -j ACCEPT

[0:0] -A INPUT -s 128.9.160.132/32 -p icmp -j ACCEPT

[5105:358874] -A INPUT -p tcp -m tcp --dport 6080 -j ACCEPT

[0:0] -A INPUT -p tcp -m tcp --dport 55222 -j ACCEPT

[1:84] -A INPUT -s 66.220.2.74/32 -p icmp -j ACCEPT

[24:1216] -A INPUT -p tcp -m tcp --dport 49567 -j ACCEPT

[2:86] -A INPUT -p udp -m udp --dport 28100:28900 -j ACCEPT

[2:84] -A INPUT -p tcp -m tcp --dport 28100:28900 -j ACCEPT

[11:660] -A INPUT -p tcp -m tcp --dport 53889 -j ACCEPT

[9034:542112] -A INPUT -s 192.168.100.1/32 -j ACCEPT

[579:90695] -A INPUT -p udp -m udp --dport 64738 -j ACCEPT

[377:22620] -A INPUT -s 192.168.100.1/32 -p tcp -m tcp --dport 2080 -j ACCEPT

[11055:663300] -A INPUT -s 192.168.100.1/32 -p tcp -m tcp --dport 45197 -j ACCEPT

[2272:136296] -A INPUT -p tcp -m tcp --dport 82 -j ACCEPT

[65:2752] -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT

[158:8356] -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT

[111:6372] -A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT

[0:0] -A INPUT -p tcp -m tcp --dport 19997 -j ACCEPT

[169390:9447203] -A INPUT -p tcp -m tcp --dport 48080 -j ACCEPT

[82:4920] -A INPUT -p tcp -m tcp --dport 29516 -j ACCEPT

[36176:1742105] -A INPUT -p tcp -m tcp --dport 445 -j DROP

[470688:59465520] -A INPUT -p udp -m udp --dport 6881 -j ACCEPT

[82992:13001673] -A INPUT -j LOG --log-prefix "iptables: " --log-ip-options

COMMIT

# Completed on Thu Sep 29 04:15:17 2011

```

there you go

----------

## pid

I now use the portfwd-daemon on the Host to forward all internal port 80/443 requests to the internal IP, its at least a simple workaround for the Squid.

----------

