# iptables and port forwarding

## Rooney

I have a very simple iptables script which allows Internal hosts to access the internet and forwards a single port to a internal host.

my problem is internal host are unable to use the extrenal ip address to access the port forwarded(172.16.32.2:443) so redirect back in to the internal network

 *Quote:*   

> 
> 
>  #!/bin/bash
> 
> IPTABLES='/sbin/iptables'
> ...

 

----------

## Moriah

I ran into a similar problem years ago.  What I did was to put a static nat rule in my firewall to nat anything coming from inside addressed to the problematic ip address into the inside version of that address.

```

# nat anything from the lan or the dmz to zzzzzz.com 

# from the xxx.xxx.xxx.13 address to the 192.168.2.13 address

# Perform NAT for the DMZ server zzzzzz.com

iptables -t nat -A PREROUTING -d xxx.xxx.xxx.13 \

                -j DNAT --to-destination 192.168.2.13

iptables -A FORWARD -i eth0 -o eth1 \

                -d 192.168.2.13 \

                -m state --state NEW,ESTABLISHED,RELATED \

                -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 \

                -s 192.168.2.13 \

                -m state --state ESTABLISHED,RELATED \

                -j ACCEPT

```

----------

## feystorm

 *Rooney wrote:*   

> I have a very simple iptables script which allows Internal hosts to access the internet and forwards a single port to a internal host.
> 
> my problem is internal host are unable to use the extrenal ip address to access the port forwarded(172.16.32.2:443) so redirect back in to the internal network
> 
> ```
> ...

 

The "-i" parameter says to only reroute the traffic when it comes in on this interface. Since traffic coming from the internal network doesnt come in on $EXTIF, that rule wont match. The cleanest solution would be to just remove the "-i $EXTIF" on the PREROUTING rule, that way it'll match no matter what interface it comes in on.

Also, unless youre setting the default policy for the FORWARD chain to something other than ACCEPT (which youre not doing in the script you pasted), that first line there is useless, as the default already is ACCEPT. If you are setting the policy, you'll need to remove the "-i $EXTIF" from that rule as well.

EDIT:

I forgot, you'll also need to put in a "-d $MY_PUBLIC_IP" here on those rules if you remove the "-i $EXTIF". Otherwise it'll match all outgoing traffic to port 443 (probably not what you want)  :Smile: 

----------

## Rooney

Hi 

Im trying to do this but with no joy, could you give an example

 *feystorm wrote:*   

>  *Rooney wrote:*   I have a very simple iptables script which allows Internal hosts to access the internet and forwards a single port to a internal host.
> 
> my problem is internal host are unable to use the extrenal ip address to access the port forwarded(172.16.32.2:443) so redirect back in to the internal network
> 
> ```
> ...

 

----------

