# iptables internal port fowarding

## Adm.Wiggin

I have followed the Gentoo "Home Router Guide" (http://www.gentoo.org/doc/en/home-router-howto.xml) and have a working NAT router box.

I started adding Port Forwarding, as per the instructions at the bottom, and have run into some issues that I cannot seem to solve after hours of reading and trying different things.  Here's the situation.

For reference, here's the port forwarding code from the HOWTO (for http, as our example):

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to ${INTERNAL_WEBSERVER_IP}
```

When setting up port forwarding exactly as described, it works, but only from (arbitrary external machine) -> (my external ip).  Any request like (internal ip) -> (external ip) doesn't get forwarded to the proper location.

I changed the code to the following, to see if it would change anything, and external forwarding still works, but internal forwarding still doesn't, so I've gained nothing:

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -d ${EXTERNAL_IP} -j DNAT --to ${INTERNAL_WEBSERVER_IP}
```

I tried something else: I grabbed a valid IP address for "google.com" and put that in in place of my internal webserver ip, creating the following:

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -d ${EXTERNAL_IP} -j DNAT --to ${GOOGLE_IP}
```

I connect, and google.com shows up, leading me to believe that it reroutes the packet to the proper ip, but doesn't reroute it to the appropriate interface (${LAN} instead of ${WAN}).

My question, then, is how to successfully forward all port 80 packets destined for our ${EXTERNAL_IP}, internal or external, to the internal webserver?

----------

## DawgG

do you want completely unfiltered web-access for all internal hosts or do you only want http (port 80) access (for certain internal host(s))?

for full access for any internal host you could do sth like:

```
iptables -t nat -I PREROUTING 1 -i $(LAN_IF) -j MASQUERADE
```

for only port 80-access to all external servers for a certain host you could do:

```
iptables -t nat -I PREROUTING 1 -s $(HOST) --dport 80 -j MASQUERADE
```

this of course assumes that all rules are in a working order and that the default  (last) rule is DROP.

GOOD LUCK!

----------

## Adm.Wiggin

It seems as though you have misunderstood me.

I'm not trying to allow internet access for internal hosts; I have that.

I'm trying to setup port forwarding to act like it does on almost all off-the-shelf routers I have ever used, such that if our external ip is accessed from the outside, the request is redirected to the proper host (which works, as per the guide), but also so that if our external ip is accessed from within the network, the request is still redirected to the proper host (which doesn't work, but I'm trying to figure out how one would go about making it so).

----------

## DawgG

it has to work quite easily, i'm sure it's only a small thing to adjust.

do you have some kind of dmz, or is the (internal?) host to be accessed from the external ip on the same net as the hosts supposed to access it? are there any rules on the host to be accessed? how about routing on the involved hosts?

----------

## Adm.Wiggin

I'm not sure what a DMZ is, but the webserver machine is indeed on the same network as the internal machines trying to access it.  There aren't any special rules regarding traffic either to the webserver machine or otherwise, just the stuff you can already find in the Home Router Guide.  I'll post my entire iptables setup script if you're interested in seeing it, but it really is just what you see for iptables setup in the guide.

----------

## DawgG

so the webserver and the machines supposed to access it are on the same subnet and plugged into the same switch/hub?

is it necessary that the internal machines access the server with its external ip (logs, stats, sth.?) or could they use its "local" ip?

have you tried accessing the server's local ip with an internal client? try that if it's ok.

GOOD LUCK!

----------

## Adm.Wiggin

Yes, they are all plugged into the same switch.  Accessing the "local" ip works great, but then if I move outside the LAN, the local ip (obviously) doesn't work anymore and I have to change my URL.  DNS is one solution, but I'd hoped to avoid that, since this really is a standard feature of many off-the-shelf routers.

----------

