Re: [iptables] Forward http

joe Tue, 06 Oct 2009 13:51:58 -0700

Mark wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Joe wrote:

Mark wrote:

Do you also have the appropriate forwarding rule? My understanding is
that after PREROUTING, a packet is submitted to the appropriate main
path, in this case, the FORWARD one.

Otherwise, the rule seems structurally similar to one of mine forwarding
ssh, apart from mine also filtering by input interface and destination
IP address to avoid ambiguity. The important bits are the same.

If all else fails, stick in a few logging rules in appropriate places, a
bit like 'print' statements while debugging programs.

thank you for the answer.
Do you have a sample?

Here are the relevant couple of fragments. There's more filtering thanyou would need as this is to forward to a LAN ssh server which isaddressed on a non-standard port, another ssh server runs on thefirewall itself, and I use outbound ssh to various destinations. Thiswouldn't apply to your situation. Note that the forwarding rule uses theIP address and port as already rewritten by the PREROUTING rule.


.
SSHsrv=$LANNet"101"
SSHin2="xxxxx"
.
iptables -N fwd-in-OK

iptables -A fwd-in-OK -p tcp --dport 22 -d $SSHsrv -j LOG --log-leveldebug --log-prefix "SSH internal accepted:"

iptables -A fwd-in-OK -p tcp --dport 22 -d $SSHsrv -j ACCEPT
.
.
.
.
# Accept outbound forwarded packets as listed in fwd-out-OK
iptables -A FORWARD -i $LanIF -j fwd-out-OK
# Accept inbound forwarded packets as listed in fwd-in-OK
iptables -A FORWARD -i $InetIF -j fwd-in-OK
.
.

iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport$SSHin2 -j DNAT --to-destination $SSHsrv:22

.

--
Joe


--

To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.orgwith a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [iptables] Forward http

Reply via email to