port forwarding thru iptables

Ruben Laban r.laban at ism.nl
Tue Dec 23 08:47:47 UTC 2008

On Tuesday 23 December 2008 at 09:25 (CET), Luca Ferrari wrote:
> I've got a problem doing a port forwarding, in the meantime I've used an
> ssh forwarding but I'd like to solve it thru iptables. The scenario is
> this: I've got a firewall that protects a server that exposes web services,
> I'd like to redirect each connection to the firewall on the port 3663 to
> the port 80 of the web server, so I added the following rules in my
> iptables configuration:
> $IPTABLES -A INPUT   -p tcp -d $FIREWALL            --dport 3663   -j

It won't reach the INPUT chain...

> $IPTABLES -t nat -A PREROUTING  -p tcp -d $FIREWALL --dport 3663   
> -j DNAT -- to $WEB_SERVER:80

... because it gets DNAT'ed to another box. It thus hits the FORWARD chain 
instead of the INPUT chain (in the filter table).
You need something like:

$IPTABLES -A FORWARD -p tcp -d $WEB_SERVER --dport 80 -j ACCEPT

> however I cannot connect to the web server (I tested with telnet). There
> are no other rules that block the connection (I guess) since it works out
> of the box with an ssh port forwarding, so what is wrong with the above
> configuration?


More information about the ubuntu-users mailing list