More iptables questions
Patrick Fleming EA
plug-discuss@lists.plug.phoenix.az.us
Tue, 4 Jun 2002 14:54:41 -0700 (MST)
On Tue, 4 Jun 2002, Carl Parrish wrote:
> Thank you all for you help with iptables.
> Now a new question.
> If you want to do port forwarding do you have to accept it on the INPUT chain??
> So in syntax I think what I'm asking is this
> if I do
> iptables -A FORWARD -p tcp -i $ext -dport 8081 -j ACCEPT
> iptables -t nat -A PREROUTING -s $FIREWALL -dport 8081 -j DNAT --to $WEBSERVER:80
If I remember the docs (netfilter.samba.org) you only need one of these
rules. Drop the first rule (FORWARD) I think.
INPUT, OUTPUT, FORWARD are all independant of each other in iptables.
Use FORWARD only for packets heading through your machine. INPUT is for
packets coming into localhost, OUTPUT is for packets going from localhost.
Also forwarding is kernel level. The following command:
$cat /proc/sys/net/ipv4/ip_forward
1
should give you 1. If it is 0, then that is your problem. There are a
couple of places that you could stick that in startup scripts to keep it
1. Or just
$cat "1">/proc/sys/net/ipv4/ip_forward
every time you want forwarding on.
HTH
>
> (syntax may be a little off I'm trying to do this "on the fly")
>
> do I need to add this to the rules?
>
> iptables -A INPUT -p tcp -dport 8081 -j ACCEPT
>
> So far I've tried both and haven't gotten it to work but while debugging
> <??> I thought I would find out how it *should* be working.
>
> Thanks,
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
Patrick Fleming, EA
http://myhdvest.com/patrickfleming
Licensed to represent taxpayers
before Exam, Appeals, and Conference
divisions of the IRS