3

I am trying to forward all the incoming internet/LAN requests on port 80 to my local machine (running Apache), current iptables work (forward incoming internet traffic to my desktop, but if I try to access it from my local network it won't work.

Interface connecting my Ubuntu server to the internet is ppp0 (dialed DSL connection through my router that is in bridge mode) which is connected to the eth0 and eth1 is connected to my internal LAN.

iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o ppp0 -j MASQUERADE
iptables -A INPUT -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#port forwarding
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80
iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT

also tested with

iptables -t nat -A PREROUTING -i lo -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80

no luck there eather

what i was able to gather so far (via logs), is that accessing external server ip directly from the LAN goes directly to eth1 which is understandable (i think).

So what i need now (i guess) is an rule that will forward the LAN traffic on eth1 without interfering with the ppp0 prerouting rule (as forwarding all the incoming traffic on eth1 to my local machine will break the internet connection)

Improve this question
6
  • It's is a bit difficult to follow your problem description. You have an ubuntu server connected to the router? And you wish to use iptables to only forward incoming connections to port 80?
    – bbaja42
    Commented Jul 2, 2011 at 14:53
  • yea, pretty much, the "basic" port forwarding works (incoming internet traffic on 80 port is getting forwarded properly) but, when i want type in my external ip into the browser, connection wont be forwarded and i will just see the error screen
    – Stef
    Commented Jul 2, 2011 at 15:04
  • Idea 1: try accessing your external IP through proxy . Idea 2: include logging in the iptables
    – bbaja42
    Commented Jul 2, 2011 at 15:17
  • good idea with the proxy, well as i stated above, the traffic gets forwarded properly (i can see my apache website with proxy), but i simply cant access it via my external ip, the problem must be in my iptables port forwarding (in the code braces above) :(
    – Stef
    Commented Jul 2, 2011 at 18:48
  • Could it be, when you are accessing external IP, you are actually using the loopback interface. So adding lo to the port forwarding might solve the issue.
    – bbaja42
    Commented Jul 2, 2011 at 19:10

1 Answer 1

Reset to default
1

I think you are missing SNAT. Without SNAT the source IP points to the computer on the local network and return packets are directed directly to source computer which discards them as invalid. With external computers this is not a problem as the NAT often is set up on the default gateway computer.

Try adding

iptables -t nat -A POSTROUTING -d 192.168.2.2 --dport 80 -j SNAT

Improve this answer
8
  • that iptable rule doesn't get in, you sure you can use -d and --dport in postrouting table ?
    – Stef
    Commented Jul 8, 2011 at 12:16
  • I would say this rule modifies all packets going to 192.168.2.2 to port 80 to set their source address to our interface IP. When they come back the original source IP is automatically reverted.
    – Antti Rytsölä
    Commented Jul 8, 2011 at 13:08
  • What is also a bit difficult to say if this "browser" or "local network" is this linux router, the webserver machine or third machine on the same network, e.g. 192.168.2.3.
    – Antti Rytsölä
    Commented Jul 8, 2011 at 13:12
  • #port forwarding iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80 iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT These specify incoming interface as ppp0. This is not the case with connection coming from local network eth1. If you wish to connect to router IP 192.168.2.1 add iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.2.2:80
    – Antti Rytsölä
    Commented Jul 8, 2011 at 13:13
  • ok, i finally managed to find some time to try the last set of iptables iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.2.2:80 this doesn't work (according to iptables -t nat -L -v packets get changed, so the rule actually "works"), but i still get only error in my web browser :(
    – Stef
    Commented Jul 9, 2011 at 17:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .