You are not logged in.

#1 2013-03-16 11:15:19

totokaka
Member
Registered: 2012-12-03
Posts: 26

Use iptables on DMZ server to port forward

Hello!
My ISP have this great idea that we have to go to their site to do port forwarding and changing settings on the router/modem, so I was thinking to just set one of my servers as a DMZ, and do port forwarding with iptables on that server.
The problem is that I can't find out how I can make packets coming in on one port go out to another ip in the LAN.
Here is my network setup:
1. Combined router, modem and wireless AP.
2. Apple AirPort Express connected to the Wifi
3. switch connected to the AirPort Express with ethernet.
4. two servers connected to the switch(also with ethernet).

the two servers have ip adress 192.168.2.3 and 192.168.2.4. And I have set up 192.168.2.3 as DMZ.
How do I use iptables to route connections that is coming to 2.3 on a speciffic port to 2.4?

Offline

#2 2013-03-16 11:39:24

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Use iptables on DMZ server to port forward

Well, I have kind of turned into an arno-iptables-firewall fanboy. I mean really, you can read through the script in /usr/sbin/arno-iptables-firewall  Super well commented and written very well. It covers all your bases.

You will want to use the updated package listed in the comments.
http://dl.dropbox.com/u/1367726/arno-ip … all.tar.gz

You will also want the SystemD Unit file
https://aur.archlinux.org/packages/syst … -firewall/

To do NAT and Port-Forwarding... basically just read through the whole firewall.conf and when you hit the bottom your done.

But really, you just need to change these things.

/etc/arno-iptables-firewall/firewall.conf

Line #41, put your Internet facing interfaces here.
Line #46, Probaly want to set this to '1' becuase it sounds like the server dose get it's IP from DHCP... but that is a bad idea because it needs to have the same IP all the time... so maybe leave it disabled '0'
Line #87, Put your LAN facing interfaces here
Line #94, Put the LAN network here, So like if your Internet facing network is 192.168.2.0/24 you could make the LAN 192.168.4.0/24
Line #140, Change this to '1' to enable NAT for your LAN
Line #162, Change this to '1' to enable Port-Forwarding
Line #193-195, Here is where you define your port-forwards,
Example: Forward TCP port 22 to host 192.168.4.55 and TCP port 80 to 192.168.4.66
--> Line 193, NAT_FORWARD_TCP="22>192.168.4.55 80>192.168.4.66"

Then open port 22 and 80 on the WAN side so they 'can' be forwarded.
Line #1170, OPEN_TCP="22 80"

You should also check out the config's in the plugins directory. This is where you get your moneys worth...
ssh-brute-force-protection.conf
ids-protection.conf
traffic-shaper.conf
ipv6-over-ipv4.conf
traffic-accounting.conf
transparent-proxy.conf
multiroute.conf
ipsec-vpn.conf
And More !!!

Last edited by hunterthomson (2013-03-16 11:46:15)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#3 2013-03-16 11:47:42

totokaka
Member
Registered: 2012-12-03
Posts: 26

Re: Use iptables on DMZ server to port forward

hunterthomson wrote:

Well, I have kind of turned into an arno-iptables-firewall fanboy. I mean really, you can read through the script in /usr/sbin/arno-iptables-firewall  Super well commented and written very well. It covers all your bases.

You will want to use the updated package listed in the comments.
http://dl.dropbox.com/u/1367726/arno-ip … all.tar.gz

You will also want the SystemD Unit file
https://aur.archlinux.org/packages/syst … -firewall/

To do NAT and Port-Forwarding... basically just read through the whole firewall.conf and when you hit the bottom your done.

But really, you just need to change these things.

/etc/arno-iptables-firewall/firewall.conf

Line #41, put your Internet facing interfaces here.
Line #46, Probaly want to set this to '1' becuase it sounds like the server dose get it's IP from DHCP... but that is a bad idea because it needs to have the same IP all the time... so maybe leave it disabled '0'
Line #87, Put your LAN facing interfaces here
Line #94, Put the LAN network here, So like if your Internet facing network is 192.168.2.0/24 you could make the LAN 192.168.4.0/24
Line #140, Change this to '1' to enable NAT for your LAN
Line #162, Change this to '1' to enable Port-Forwarding
Line #193-195, Here is where you define your port-forwards,
Example: Forward TCP port 22 to host 192.168.4.55 and TCP port 80 to 192.168.4.66
--> Line 193, NAT_FORWARD_TCP="22>192.168.4.55 80>192.168.4.66"

Then open port 22 and 80 on the WAN side so they 'can' be forwarded.
Line #1170, OPEN_TCP="22 80"

You should also check out the config's in the plugins directory. This is where you get your moneys worth...
ssh-brute-force-protection.conf
ids-protection.conf
traffic-shaper.conf
ipv6-over-ipv4.conf
traffic-accounting.conf
transparent-proxy.conf
multiroute.conf
ipsec-vpn.conf
And More !!!

Thanks for answer. But it seems like you missed that the server is only connected to the LAN, never to the internet.

Offline

#4 2013-03-16 23:41:39

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Use iptables on DMZ server to port forward

You said that instead of doing a port-forward on the router/modem every time you are just going to set one of your servers as a DMZ and then forward ports from there to the rest of your servers.

So, whatever port is facing the router/modem is effectively the Internet facing port.

Another way to go would be to mail your ISP's modem back to them and buy your own. You are most likely paying a rental fee for your modem anyway.

Last edited by hunterthomson (2013-03-16 23:45:33)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#5 2013-03-17 07:11:28

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Use iptables on DMZ server to port forward

You need to not only DNAT the incoming traffic, you'll need to SNAT it as well otherwise you will end up with asynchronous routing issues.

Having said that, NAT on NAT, espcially NAT-on-(DNAT and SNAT), is nasty and leads to all kinds of messes. It's not worth the effort IMHO (except for the learning outcomes).

Offline

Board footer

Powered by FluxBB