# FireHOL and port forwarding.

## Safrax

I just recently converted from OpenBSD back to linux for my routing and firewall needs.  I'm having problems getting Iptables setup how I want it.  I decided I'd rather use FireHOL to help me get some iptables rules up and going.  Firehol works fairly well for my needs although I'd rather make my own iptables script but I can't since I don't have time to try to learn iptables.

Anyways how does one setup port forwarding on FireHOL?  I'm trying to forward port 3389 from any ip address to 172.16.1.69 port 3389 on my desktop machine behind the linux router.  

Here's my current script with what I've tried.

```

version 5

server_imap_ports="tcp/2342"

client_imap_ports="default"

server_ahttp_ports="tcp/8080"

client_ahttp_ports="default"

server_mstsc_ports="tcp/3389"

client_mstsc_ports="default"

home_ips="172.16.1.254/24"

nat to-destination 172.16.1.69 inface eth0 proto tcp dport 3389

# Accept all client traffic on any interface

interface eth1 home src "${home_ips}"

        policy reject

        server "dns ftp samba dhcp ahttp ssh icmp imap" accept

        client "icmp"   accept

interface eth0 internet src not "${home_ips} ${UNROUTABLE_IPS}"

        protection strong 10/sec 10

        server "ahttp imap ssh mstsc" accept

        server ident reject with tcp-reset

        client all      accept

router internet2home inface eth0 outface eth1

        masquerade reverse

        client all      accept

        server ident    reject with tcp-reset

```

Also why does setting up a iptables have to be so hard?  PF is incredibly simple to setup...

----------

## femtotech

I'm trying to do this now and nobody every posted a solution.  My configuration looks essentially the same as above and port forwarding isn't working.  Thanks for the help!

----------

## SpineBuster

Hi, I had the same problem. Now I use the folowing config which works fine!

It should be easy to understand.

```
version 5

# The variable NAT_FORWARD_IP tells firehol to forward a specific port to a specific

# host.  The variable is stored in the format "host-port,port:range;[host...]".

server_mldonkey_ports="tcp/4662 udp/4662:4666 tcp/11970 udp/11970 udp/4694"

client_mldonkey_ports="default"

# NAT

NAT_FORWARD_IP="192.168.0.5-41200;192.168.0.9-41202;"

for IP_PORT in $(echo $NAT_FORWARD_IP | tr ";" " ")

do

        IP=$(echo $IP_PORT | grep -o "^[1234567890.]\{7,15\}-" | tr -d "-")

        for PORT in $(echo $IP_PORT | grep -o "[-,][1234567890:]*" | tr -d -- "-,")

        do

                dnat to $IP proto tcp dport $PORT

                dnat to $IP proto udp dport $PORT

        done

done

interface eth0 local

        server all                                      accept

        client all                                      accept

interface ppp+ inet

        protection strong 10/sec 10

        server "ssh" accept

# edonkey

        server mldonkey accept

        for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")

        do

                server custom forward "tcp/$PORT udp/$PORT" default accept

        done

#       server ident                                    reject with tcp-reset

        client all                                      accept

router inet2local inface ppp+ outface eth0

        masquerade reverse

        server ident                                    reject with tcp-reset

        for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")

        do

                route custom forward "tcp/$PORT udp/$PORT" default accept

        done

        client all                                      accept

```

----------

