port forwarding thru iptables

[Rashkae]

Luca Ferrari wrote:
> Hi all,
> I've got a problem doing a port forwarding, in the meantime I've used an ssh 
> forwarding but I'd like to solve it thru iptables. The scenario is this: I've 
> got a firewall that protects a server that exposes web services, I'd like to 
> redirect each connection to the firewall on the port 3663 to the port 80 of 
> the web server, so I added the following rules in my iptables configuration:
> 
> $IPTABLES -A INPUT   -p tcp -d $FIREWALL            --dport 3663   -j ACCEPT
> $IPTABLES -t nat -A PREROUTING  -p tcp -d $FIREWALL --dport 3663   -j DNAT --
> to $WEB_SERVER:80
> 
> however I cannot connect to the web server (I tested with telnet). There are 
> no other rules that block the connection (I guess) since it works out of the 
> box with an ssh port forwarding, so what is wrong with the above 
> configuration?
> 

If your Firewall has a FORWARD Policy of DROP, you will have to open a
FORWARD rule for this.

iptables -I FORWARD -p tcp -d $WEB_SERVER --dport 80 -j ACCEPT

Also, your Firewall computer needs to have IP4 FORWARD enabled in
general.  (Usually disabled by default)

cat /proc/sys/net/ipv4/ip_forward

that should return 1.  I'm not sure the proper way to change this in
Ubuntu, but in a pinch: echo "1" > /proc/sys/net/ipv4/ip_forward  in
your /etc/rc.local will work.

And finally, the web server needs to be able to reply to internet
addresses.  It needs to to have a default gateway configured that will
provide internet NAT.  (If you can ping websites from the Webserver,
then this is probably configured).  If, however, you prefer the
webserver to be completely isolated from the net and unable to connect
to Internet, you need to Snat the packages as well as dnat.