6.7.1. IPTABLES-based PORTFWD'ing: Using IPTABLES's PREROUTING option for 2.6.x and 2.4.x kernels
As mentioned before, a port forward or "PORTFW" allows a single or range of TCP/IP ports from the external side of the network to be forwarded into the inside network.
Unlike ALL previous Linux kernels, the 2.6.x and 2.4.x series kernels now allows for full PORTFW, PORTFW FTP, and PORTFW REDIR functionality within the "iptables" tool itself.
NOTE: Once you enable a port forwarder on say port 80 (forward WWW traffic through the MASQ server to an internal WWW server), that port will no longer be used by the Linux IP Masquerade server itself. To be more specific, if you have a WWW server already running on the MASQ server, enabling PORTFW will now give all Internet users acces to the WWW pages from the -INTERNAL- WWW server and not the pages on your IP MASQ server.
To enable port forwarding on an IPTABLES (2.6.x or 2.4.x kernel):
Edit the /etc/rc.d/rc.firewall-iptables ruleset and place the lines shown below just ABOVE the "FWD: Allow all connections OUT and only existing and related ones IN " line (in the "Optional FORWARD section"). Please be sure to replace the word "$EXTIP" with your specific Internet IP address.
NOTE: Unlike the 2.2.x and 2.0.x kernels, PORTFWed traffic does *not* traverse the INPUT or OUTPUT rules. It only traverses the FORWARD rule.
NOTE: If you get a dynamically assigned TCP/IP address from your ISP (PPP, DSL, Cablemodems, etc.), you CANNOT load this strong ruleset upon booting. You will either need to reload this firewall ruleset EVERY TIME you get a new IP address or make your /etc/rc.d/rc.firewall-ipchains-stronger ruleset more intelligent. To do this for various types of connections such as PPP or DHCP users, please see the Section 7.8 FAQ entry for all the details.
/etc/rc.d/rc.firewall-*
  Â
#echo "Enabling PORTFW Redirection on the external LAN.."
#
# This will forward ALL port 80 traffic from the external IP address
# to port 80 on the 192.168.0.10 machine
#
# Be SURE that when you add these new rules to your rc.firewall-*, you
# add them before a direct or implict DROP or REJECT.
#
PORTFWIP="192.168.0.10"
# NOTE: If you are using the basic rc.firewall-iptables ruleset, you
# will need to enable the following EXTIP option. Users of the
# rc.firewall-iptables-stronger ruleset already have this defined.
#
# *PLEASE* look over the rc.firewall-iptables-stronger ruleset for more
# specific issues regarding dynamic vs. static IP addresses
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
# The following line will determine your external IP address. This
# line is somewhat complex and confusing but it will also work for
# all NON-English Linux distributions:
#
# DISABLED by default -- to enable, REMOVE both the "#" characters below
#
#EXTIP="'$IFCONFIG $EXTIF | $AWK \
#/$EXTIF/'{next}//{split($0,a,":") ;split(a[2],a," ") ;print a[1];exit}''"
# Allow forwarding of new and existing port 80 connections from the external
# interface. This rule is required as our default FORWARD policy is DENY.
#
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
#Enable PORTFW of this port 80 traffic from the external interface
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j DNAT --to $PORTFWIP:80
That's it! Just re-run your /etc/rc.d/rc.firewall-iptables ruleset and test it out! If you would like to learn more about this, please see the Section 7.19
--------------------------------------------------------------------------
Running the
* License
