Jump to content
Sign in to follow this  

Port Forwarding behind router

Recommended Posts

Ok, if your behind a router and your DMZ'd box is running linux, (AFAIK a DMZ'd box is a box that all the external tcp/udp ports are forwarded to from the router, that and icmp), and you want to forward a port from your DMZ'd box to another internal (aka private) IP, this is the tut for you.


iptables -t nat -A PREROUTING -p tcp --dport $Port-to-forward -j DNAT --to-destination $Internal-IP

iptables -t nat -A POSTROUTING -p tcp -d $Internal-IP --dport $Port-to-forward -j SNAT --to-source $DMZ-Internal-IP



Where $Port-to-forward is the port you want forwarded, and $Internal-IP is the Internal IP you want the port forwarded to, and $DMZ-Internal-IP is the DMZ'd box's Internal IP.




# Explanation



What the first command does is when a packet is recieved it checks if the destination port is $Port-to-forward, and if it is it changes the destination IP of the packet's header from the DMZ'd IP to $Internal-IP.


So now we have a packet's destination to $Internal-IP, and a source of whatever. (So when $Internal-IP wants to send the packet back it will send it through the

gateway with the source IP of whatever, aka the *real* remote IP and the gateway will send it back to the DMZ'd box, wich is $DMZ-Internal-IP.) We're half there.


Now, first of all the text between the () will not happen if the second command is put, what the second command does is match the packet to see if the

destination is $Internal-IP and the destination port is $Port-to-forward, then it will change the *source* IP from the remote host to $DMZ-Internal-IP, so the packet comes back to the DMZ'd box so that it could re-route it.


EDIT: The last command sets the default policy of FORWARD to ACCEPT


And I think you should

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding && echo 1 > /proc/sys/net/ipv4/ip_forward

to enable forwarding.

Share this post

Link to post
Share on other sites
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...