Forwarding Ports with iptables

Forwarding Ports with iptables

There are situations in which network activity directed at one computer should be handled by another computer, or possibly another port on the same computer. For these tasks , iptables lets you implement port forwarding, which echoes incoming network traffic to another computer.

When to Forward Ports

Port forwarding can be an extremely useful tool in certain situations, including the following:

• You move a server from one computer to another, but your DNS entries have not yet been properly updated. You can also use port forwarding to temporarily make such a change.

• You want a server to respond to multiple ports on a single computer. You can set up the system to forward one port to another on the same system. Some servers can listen directly to multiple ports, though, which is often a simpler approach.

• You want to run an externally accessible server within a NAT- protected network. You can set up the NAT router to forward traffic directed at one of its external ports to an internal system.

This last possibility is a particularly common one when running NAT. Note that this behavior degrades the security advantages of NAT, because you're effectively exposing an internal system (or at least, one of its ports) to the outside. You can also run only one internal server of a given type on its usual port in this way, at least with the IP masquerading form of NAT. (If your NAT router has two external addresses, you can forward ports on both addresses to different internal systems.) If you want to make two internal servers of the same type (such as two Web servers) available to the outside, you'll have to run one on a nonstandard port or obtain some other external IP address.

Setting iptables Port Forwarding Options

There are several different ways to enable port forwarding on a Linux system that provides NAT functions. One is to do it with iptables , using its NAT functionality. To do so, you can type a command similar to the following:

 #  iptables -t nat -A PREROUTING -p tcp -i   external-interface \   --destination-port   port-num -j DNAT   --to   dest-addr:port-num  

Important features of this command include:

• The command manipulates the NAT table ( -t nat ).

• The -A PREROUTING parameter specifies that changes to packets are to be made prior to routing proper. The basic NAT features operate post-routing, but port forwarding happens prior to routing.

• The command forwards TCP ports ( -p tcp ).

• The rule applies to packets directed at the system's external network interface ( -i external-interface ) on the specified port ( ”destination-port port-num ).

• The -j DNAT parameter tells the system that it's performing NAT on the destination (DNAT) rather than the source (SNAT) address.

• The final parameter, --to dest-addr : port-num , specifies that the packets should be directed to port port-num on dest-addr . For instance, dest-addr might be 192.168.9.33 and port-num might be 80 . Note that the port-num used with --to need not be the same as the port-num used with --destination-port .

You can enter several port forwarding commands ”as many as necessary to forward any ports that handle servers you want to run internally. As with the basic NAT or firewall configuration, you can create entries in a startup script to run these commands whenever your system starts. You can then leave the configuration alone.

NOTE

There are other tools that can provide port forwarding functionality. In particular, the xinetd super server includes port forwarding features. Because xinetd is a user -space program, though, it's less efficient at port forwarding than is the kernel as configured through iptables .