How can I forward the HTTP and SSH port to my internal server using iptables?Iptables - centos 5.8 - how to forward ports to internal lanMultiple interface NAT routingForce local IP traffic to an external interfaceHow to configure traffic from a specific IP hardcoded to an IP to forward to another IP:PORT using iptables?iptables questionLinux router with diffent gateways for incomming and outgoing connectionsUsing iptables to forward traffic to a single IP addressPortforwarding with IPTABLES and Remote IP detectionLinux Port Forwarding to different IPsiptables on Linux router does not forward DHCP between two LANsRedirect works from external network, but not internal

Can my sorcerer use a spellbook only to collect spells and scribe scrolls, not cast?

Why do bosons tend to occupy the same state?

How much of data wrangling is a data scientist's job?

Why doesn't using multiple commands with a || or && conditional work?

Do UK voters know if their MP will be the Speaker of the House?

Im going to France and my passport expires June 19th

How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?

Saudi Arabia Transit Visa

How would I stat a creature to be immune to everything but the Magic Missile spell? (just for fun)

GFCI outlets - can they be repaired? Are they really needed at the end of a circuit?

How badly should I try to prevent a user from XSSing themselves?

Table mislabeled as figure

Detention in 1997

How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?

Can a virus destroy the BIOS of a modern computer?

Short story with a alien planet, government officials must wear exploding medallions

How to remove strange space symbols in Word

Do scales need to be in alphabetical order?

Why do I get two different answers for this counting problem?

Why is this clock signal connected to a capacitor to gnd?

What is the difference between 仮定 and 想定?

Arrow those variables!

What reasons are there for a Capitalist to oppose a 100% inheritance tax?

What does “the session was packed” mean in this context?



How can I forward the HTTP and SSH port to my internal server using iptables?


Iptables - centos 5.8 - how to forward ports to internal lanMultiple interface NAT routingForce local IP traffic to an external interfaceHow to configure traffic from a specific IP hardcoded to an IP to forward to another IP:PORT using iptables?iptables questionLinux router with diffent gateways for incomming and outgoing connectionsUsing iptables to forward traffic to a single IP addressPortforwarding with IPTABLES and Remote IP detectionLinux Port Forwarding to different IPsiptables on Linux router does not forward DHCP between two LANsRedirect works from external network, but not internal













5















I do not have the router so I make the Linux system into a router having CentOS 6.4 fo forwarding the public network traffic to my local LAN. It has the two NIC cards. One for the public IP address (eth1) and another for the private IP address (eth2).



I have a server which is connected to my local LAN, suppose 192.168.1.2.



x.x.x.x is for the public IP address (this IP address is on eth1).



The Linux system router IP address suppose 192.168.1.1 (this IP address is on eth2).



I want that when someone from any network from anywhere use this, i.e.,



ssh x.x..x.x (public IP address) or using PuTTY



it will goes to server.



I disable the SELinux and iptables firewall on the server.



I did some Iptables modifications on the Linux system router, but it goes to itself which works as a router, not to the main server from the other network and the same network also.



iptables -t nat -A PREROUTING -p tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.2:22


But it does not work.



And again I want to forward all the HTTP (80) traffic to my internal server using iptables from the same Linux system router.



What is the solution to this?










share|improve this question
























  • Can you provide your iptables -L output?

    – Gabriel Talavera
    Jan 1 '14 at 13:12















5















I do not have the router so I make the Linux system into a router having CentOS 6.4 fo forwarding the public network traffic to my local LAN. It has the two NIC cards. One for the public IP address (eth1) and another for the private IP address (eth2).



I have a server which is connected to my local LAN, suppose 192.168.1.2.



x.x.x.x is for the public IP address (this IP address is on eth1).



The Linux system router IP address suppose 192.168.1.1 (this IP address is on eth2).



I want that when someone from any network from anywhere use this, i.e.,



ssh x.x..x.x (public IP address) or using PuTTY



it will goes to server.



I disable the SELinux and iptables firewall on the server.



I did some Iptables modifications on the Linux system router, but it goes to itself which works as a router, not to the main server from the other network and the same network also.



iptables -t nat -A PREROUTING -p tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.2:22


But it does not work.



And again I want to forward all the HTTP (80) traffic to my internal server using iptables from the same Linux system router.



What is the solution to this?










share|improve this question
























  • Can you provide your iptables -L output?

    – Gabriel Talavera
    Jan 1 '14 at 13:12













5












5








5


3






I do not have the router so I make the Linux system into a router having CentOS 6.4 fo forwarding the public network traffic to my local LAN. It has the two NIC cards. One for the public IP address (eth1) and another for the private IP address (eth2).



I have a server which is connected to my local LAN, suppose 192.168.1.2.



x.x.x.x is for the public IP address (this IP address is on eth1).



The Linux system router IP address suppose 192.168.1.1 (this IP address is on eth2).



I want that when someone from any network from anywhere use this, i.e.,



ssh x.x..x.x (public IP address) or using PuTTY



it will goes to server.



I disable the SELinux and iptables firewall on the server.



I did some Iptables modifications on the Linux system router, but it goes to itself which works as a router, not to the main server from the other network and the same network also.



iptables -t nat -A PREROUTING -p tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.2:22


But it does not work.



And again I want to forward all the HTTP (80) traffic to my internal server using iptables from the same Linux system router.



What is the solution to this?










share|improve this question
















I do not have the router so I make the Linux system into a router having CentOS 6.4 fo forwarding the public network traffic to my local LAN. It has the two NIC cards. One for the public IP address (eth1) and another for the private IP address (eth2).



I have a server which is connected to my local LAN, suppose 192.168.1.2.



x.x.x.x is for the public IP address (this IP address is on eth1).



The Linux system router IP address suppose 192.168.1.1 (this IP address is on eth2).



I want that when someone from any network from anywhere use this, i.e.,



ssh x.x..x.x (public IP address) or using PuTTY



it will goes to server.



I disable the SELinux and iptables firewall on the server.



I did some Iptables modifications on the Linux system router, but it goes to itself which works as a router, not to the main server from the other network and the same network also.



iptables -t nat -A PREROUTING -p tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.2:22


But it does not work.



And again I want to forward all the HTTP (80) traffic to my internal server using iptables from the same Linux system router.



What is the solution to this?







ssh iptables routing http port-forwarding






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 days ago









Peter Mortensen

2,14242124




2,14242124










asked Jan 1 '14 at 12:46









RahulRahul

28117




28117












  • Can you provide your iptables -L output?

    – Gabriel Talavera
    Jan 1 '14 at 13:12

















  • Can you provide your iptables -L output?

    – Gabriel Talavera
    Jan 1 '14 at 13:12
















Can you provide your iptables -L output?

– Gabriel Talavera
Jan 1 '14 at 13:12





Can you provide your iptables -L output?

– Gabriel Talavera
Jan 1 '14 at 13:12










4 Answers
4






active

oldest

votes


















6














First of all make sure the packet forwarding is enabled in the kernel



# echo 1 > /proc/sys/net/ipv4/ip_forward


You can also make it permanent by adding below line to /etc/sysctl.conf



net.ipv4.ip_forward = 1


You have to do this on Linux Machine acting as a router. You can try the following rule on router machine.



iptables -t nat -A PREROUTING -i eth1 -d x.x.x.x -p tcp --dport 22 -j DNAT --to-destination 192.168.1.2:22


Also let us know the output of your NAT Rules from the router box.



iptables -t nat -L -n -v





share|improve this answer

























  • Yes, just replace the port number. Use 80 for HTTP

    – sandeep.s85
    Jan 1 '14 at 13:41











  • Hi, sandeep i want one thing that in my server i made a apache webserver. i want to access the particular site which is hosted on server. how i can do this. on browser publicip:80/path to directory but not accessible.help me.

    – Rahul
    Jan 1 '14 at 14:17












  • Try to first open the site from your LAN 192.168.1.2/path then see what happens. If you are still facing issues, I suggest opening a new thread with detailed problem description explaining what have you configured with Apache.

    – sandeep.s85
    Jan 1 '14 at 14:29


















2














Based on this amazing DigitalOcean's tutorial about how to forward ports, I decided to re-write it here.



I spent many hours of research about how this works.. I'm new to linux and beginnings aren't always easy.. Here is example of my servers and it's port forwarding:



Firewall server (2 NIC cards) - network details:



  • Public IP address: xx.xx.xx.xx

  • Private IP address: yy.yy.yy.yy

  • Public interface: eth0

  • Private interface: eth1

Internal (e.g. ssh, web) server (1 NIC card) - network details:



  • Private IP address: zz.zz.zz.zz

  • Private interface: eth0

Solution:



Enable packet forwarding in kernel:



echo 1 > /proc/sys/net/ipv4/ip_forward


Define variables:



# Admin IP address (e.g. public home ip)
ADMIN="aa.aa.aa.aa"

# IP addresses of servers (e.g. in cloud):
FW_eth0_ip="xx.xx.xx.xx"
FW_eth1_ip="yy.yy.yy.yy"
WEB_eth0_ip="zz.zz.zz.zz"

# Services:
SSH="22"
HTTP="80"


Iptables port forwarding (with -m conntrack):



iptables -t nat -A PREROUTING -i eth0 -s $ADMIN -d $FW_eth0_ip -p tcp --dport $SSH -j DNAT --to-destination $WEB_eth0_ip
iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport $SSH -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport $SSH -d $WEB_eth0_ip -j SNAT --to-source $FW_eth1_ip


Few notes:



  • "..-s $ADMIN -d $FW_eth0_ip.." (1st row) - added only for security reasons - it means that only ADMIN IP can access SSH (if not needed you can delete it)


  • -m conntrack is the same as -m state

  • I recommend to change default port of SSH to another port, like 1xxxx (in /etc/ssh/sshd_config)

  • check List of TCP and UDP port numbers

  • I use port 15xx1 to access SSH on Firewall server, and 15xxx2 the Internal

Terminal:



# access firewall server
$ ssh sancro@xx.xx.xx.xx -p 15xx1

# access internal server
$ ssh sancro@xx.xx.xx.xx -p 15xx2


More details about used rules are perfectly described in mentioned tutorial.



That's all from me, hope it will help you.






share|improve this answer
































    1














    Although this question is about iptables, in case you also have FirewallD running, here's how to access HTTP of the internal network.



    First allow http traffic in your internal server FirewallD:



    # firewall-cmd --permanent --add-service=http


    Then forward the http traffic from the external ip, to port 80 of the internal ip:



    # firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=10.0.0.11


    Same thing can be done for SSH service.






    share|improve this answer






























      1














      First of all, enable routing in the Linux gateway:



      echo 1 > /proc/sys/net/ipv4/ip_forward


      Then add the following rules with your network interface (i.e., eth1) and desired ports:



      iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2
      iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.1.2
      iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


      Check your rules with iptables -L -v, the pkts and bytes columns will show you which rules are being matched.






      share|improve this answer

























        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "2"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f564445%2fhow-can-i-forward-the-http-and-ssh-port-to-my-internal-server-using-iptables%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        4 Answers
        4






        active

        oldest

        votes








        4 Answers
        4






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        6














        First of all make sure the packet forwarding is enabled in the kernel



        # echo 1 > /proc/sys/net/ipv4/ip_forward


        You can also make it permanent by adding below line to /etc/sysctl.conf



        net.ipv4.ip_forward = 1


        You have to do this on Linux Machine acting as a router. You can try the following rule on router machine.



        iptables -t nat -A PREROUTING -i eth1 -d x.x.x.x -p tcp --dport 22 -j DNAT --to-destination 192.168.1.2:22


        Also let us know the output of your NAT Rules from the router box.



        iptables -t nat -L -n -v





        share|improve this answer

























        • Yes, just replace the port number. Use 80 for HTTP

          – sandeep.s85
          Jan 1 '14 at 13:41











        • Hi, sandeep i want one thing that in my server i made a apache webserver. i want to access the particular site which is hosted on server. how i can do this. on browser publicip:80/path to directory but not accessible.help me.

          – Rahul
          Jan 1 '14 at 14:17












        • Try to first open the site from your LAN 192.168.1.2/path then see what happens. If you are still facing issues, I suggest opening a new thread with detailed problem description explaining what have you configured with Apache.

          – sandeep.s85
          Jan 1 '14 at 14:29















        6














        First of all make sure the packet forwarding is enabled in the kernel



        # echo 1 > /proc/sys/net/ipv4/ip_forward


        You can also make it permanent by adding below line to /etc/sysctl.conf



        net.ipv4.ip_forward = 1


        You have to do this on Linux Machine acting as a router. You can try the following rule on router machine.



        iptables -t nat -A PREROUTING -i eth1 -d x.x.x.x -p tcp --dport 22 -j DNAT --to-destination 192.168.1.2:22


        Also let us know the output of your NAT Rules from the router box.



        iptables -t nat -L -n -v





        share|improve this answer

























        • Yes, just replace the port number. Use 80 for HTTP

          – sandeep.s85
          Jan 1 '14 at 13:41











        • Hi, sandeep i want one thing that in my server i made a apache webserver. i want to access the particular site which is hosted on server. how i can do this. on browser publicip:80/path to directory but not accessible.help me.

          – Rahul
          Jan 1 '14 at 14:17












        • Try to first open the site from your LAN 192.168.1.2/path then see what happens. If you are still facing issues, I suggest opening a new thread with detailed problem description explaining what have you configured with Apache.

          – sandeep.s85
          Jan 1 '14 at 14:29













        6












        6








        6







        First of all make sure the packet forwarding is enabled in the kernel



        # echo 1 > /proc/sys/net/ipv4/ip_forward


        You can also make it permanent by adding below line to /etc/sysctl.conf



        net.ipv4.ip_forward = 1


        You have to do this on Linux Machine acting as a router. You can try the following rule on router machine.



        iptables -t nat -A PREROUTING -i eth1 -d x.x.x.x -p tcp --dport 22 -j DNAT --to-destination 192.168.1.2:22


        Also let us know the output of your NAT Rules from the router box.



        iptables -t nat -L -n -v





        share|improve this answer















        First of all make sure the packet forwarding is enabled in the kernel



        # echo 1 > /proc/sys/net/ipv4/ip_forward


        You can also make it permanent by adding below line to /etc/sysctl.conf



        net.ipv4.ip_forward = 1


        You have to do this on Linux Machine acting as a router. You can try the following rule on router machine.



        iptables -t nat -A PREROUTING -i eth1 -d x.x.x.x -p tcp --dport 22 -j DNAT --to-destination 192.168.1.2:22


        Also let us know the output of your NAT Rules from the router box.



        iptables -t nat -L -n -v






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Oct 20 '16 at 10:23









        Sven

        87.6k10148200




        87.6k10148200










        answered Jan 1 '14 at 13:17









        sandeep.s85sandeep.s85

        1,36911226




        1,36911226












        • Yes, just replace the port number. Use 80 for HTTP

          – sandeep.s85
          Jan 1 '14 at 13:41











        • Hi, sandeep i want one thing that in my server i made a apache webserver. i want to access the particular site which is hosted on server. how i can do this. on browser publicip:80/path to directory but not accessible.help me.

          – Rahul
          Jan 1 '14 at 14:17












        • Try to first open the site from your LAN 192.168.1.2/path then see what happens. If you are still facing issues, I suggest opening a new thread with detailed problem description explaining what have you configured with Apache.

          – sandeep.s85
          Jan 1 '14 at 14:29

















        • Yes, just replace the port number. Use 80 for HTTP

          – sandeep.s85
          Jan 1 '14 at 13:41











        • Hi, sandeep i want one thing that in my server i made a apache webserver. i want to access the particular site which is hosted on server. how i can do this. on browser publicip:80/path to directory but not accessible.help me.

          – Rahul
          Jan 1 '14 at 14:17












        • Try to first open the site from your LAN 192.168.1.2/path then see what happens. If you are still facing issues, I suggest opening a new thread with detailed problem description explaining what have you configured with Apache.

          – sandeep.s85
          Jan 1 '14 at 14:29
















        Yes, just replace the port number. Use 80 for HTTP

        – sandeep.s85
        Jan 1 '14 at 13:41





        Yes, just replace the port number. Use 80 for HTTP

        – sandeep.s85
        Jan 1 '14 at 13:41













        Hi, sandeep i want one thing that in my server i made a apache webserver. i want to access the particular site which is hosted on server. how i can do this. on browser publicip:80/path to directory but not accessible.help me.

        – Rahul
        Jan 1 '14 at 14:17






        Hi, sandeep i want one thing that in my server i made a apache webserver. i want to access the particular site which is hosted on server. how i can do this. on browser publicip:80/path to directory but not accessible.help me.

        – Rahul
        Jan 1 '14 at 14:17














        Try to first open the site from your LAN 192.168.1.2/path then see what happens. If you are still facing issues, I suggest opening a new thread with detailed problem description explaining what have you configured with Apache.

        – sandeep.s85
        Jan 1 '14 at 14:29





        Try to first open the site from your LAN 192.168.1.2/path then see what happens. If you are still facing issues, I suggest opening a new thread with detailed problem description explaining what have you configured with Apache.

        – sandeep.s85
        Jan 1 '14 at 14:29













        2














        Based on this amazing DigitalOcean's tutorial about how to forward ports, I decided to re-write it here.



        I spent many hours of research about how this works.. I'm new to linux and beginnings aren't always easy.. Here is example of my servers and it's port forwarding:



        Firewall server (2 NIC cards) - network details:



        • Public IP address: xx.xx.xx.xx

        • Private IP address: yy.yy.yy.yy

        • Public interface: eth0

        • Private interface: eth1

        Internal (e.g. ssh, web) server (1 NIC card) - network details:



        • Private IP address: zz.zz.zz.zz

        • Private interface: eth0

        Solution:



        Enable packet forwarding in kernel:



        echo 1 > /proc/sys/net/ipv4/ip_forward


        Define variables:



        # Admin IP address (e.g. public home ip)
        ADMIN="aa.aa.aa.aa"

        # IP addresses of servers (e.g. in cloud):
        FW_eth0_ip="xx.xx.xx.xx"
        FW_eth1_ip="yy.yy.yy.yy"
        WEB_eth0_ip="zz.zz.zz.zz"

        # Services:
        SSH="22"
        HTTP="80"


        Iptables port forwarding (with -m conntrack):



        iptables -t nat -A PREROUTING -i eth0 -s $ADMIN -d $FW_eth0_ip -p tcp --dport $SSH -j DNAT --to-destination $WEB_eth0_ip
        iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport $SSH -m conntrack --ctstate NEW -j ACCEPT
        iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
        iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
        iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport $SSH -d $WEB_eth0_ip -j SNAT --to-source $FW_eth1_ip


        Few notes:



        • "..-s $ADMIN -d $FW_eth0_ip.." (1st row) - added only for security reasons - it means that only ADMIN IP can access SSH (if not needed you can delete it)


        • -m conntrack is the same as -m state

        • I recommend to change default port of SSH to another port, like 1xxxx (in /etc/ssh/sshd_config)

        • check List of TCP and UDP port numbers

        • I use port 15xx1 to access SSH on Firewall server, and 15xxx2 the Internal

        Terminal:



        # access firewall server
        $ ssh sancro@xx.xx.xx.xx -p 15xx1

        # access internal server
        $ ssh sancro@xx.xx.xx.xx -p 15xx2


        More details about used rules are perfectly described in mentioned tutorial.



        That's all from me, hope it will help you.






        share|improve this answer





























          2














          Based on this amazing DigitalOcean's tutorial about how to forward ports, I decided to re-write it here.



          I spent many hours of research about how this works.. I'm new to linux and beginnings aren't always easy.. Here is example of my servers and it's port forwarding:



          Firewall server (2 NIC cards) - network details:



          • Public IP address: xx.xx.xx.xx

          • Private IP address: yy.yy.yy.yy

          • Public interface: eth0

          • Private interface: eth1

          Internal (e.g. ssh, web) server (1 NIC card) - network details:



          • Private IP address: zz.zz.zz.zz

          • Private interface: eth0

          Solution:



          Enable packet forwarding in kernel:



          echo 1 > /proc/sys/net/ipv4/ip_forward


          Define variables:



          # Admin IP address (e.g. public home ip)
          ADMIN="aa.aa.aa.aa"

          # IP addresses of servers (e.g. in cloud):
          FW_eth0_ip="xx.xx.xx.xx"
          FW_eth1_ip="yy.yy.yy.yy"
          WEB_eth0_ip="zz.zz.zz.zz"

          # Services:
          SSH="22"
          HTTP="80"


          Iptables port forwarding (with -m conntrack):



          iptables -t nat -A PREROUTING -i eth0 -s $ADMIN -d $FW_eth0_ip -p tcp --dport $SSH -j DNAT --to-destination $WEB_eth0_ip
          iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport $SSH -m conntrack --ctstate NEW -j ACCEPT
          iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
          iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
          iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport $SSH -d $WEB_eth0_ip -j SNAT --to-source $FW_eth1_ip


          Few notes:



          • "..-s $ADMIN -d $FW_eth0_ip.." (1st row) - added only for security reasons - it means that only ADMIN IP can access SSH (if not needed you can delete it)


          • -m conntrack is the same as -m state

          • I recommend to change default port of SSH to another port, like 1xxxx (in /etc/ssh/sshd_config)

          • check List of TCP and UDP port numbers

          • I use port 15xx1 to access SSH on Firewall server, and 15xxx2 the Internal

          Terminal:



          # access firewall server
          $ ssh sancro@xx.xx.xx.xx -p 15xx1

          # access internal server
          $ ssh sancro@xx.xx.xx.xx -p 15xx2


          More details about used rules are perfectly described in mentioned tutorial.



          That's all from me, hope it will help you.






          share|improve this answer



























            2












            2








            2







            Based on this amazing DigitalOcean's tutorial about how to forward ports, I decided to re-write it here.



            I spent many hours of research about how this works.. I'm new to linux and beginnings aren't always easy.. Here is example of my servers and it's port forwarding:



            Firewall server (2 NIC cards) - network details:



            • Public IP address: xx.xx.xx.xx

            • Private IP address: yy.yy.yy.yy

            • Public interface: eth0

            • Private interface: eth1

            Internal (e.g. ssh, web) server (1 NIC card) - network details:



            • Private IP address: zz.zz.zz.zz

            • Private interface: eth0

            Solution:



            Enable packet forwarding in kernel:



            echo 1 > /proc/sys/net/ipv4/ip_forward


            Define variables:



            # Admin IP address (e.g. public home ip)
            ADMIN="aa.aa.aa.aa"

            # IP addresses of servers (e.g. in cloud):
            FW_eth0_ip="xx.xx.xx.xx"
            FW_eth1_ip="yy.yy.yy.yy"
            WEB_eth0_ip="zz.zz.zz.zz"

            # Services:
            SSH="22"
            HTTP="80"


            Iptables port forwarding (with -m conntrack):



            iptables -t nat -A PREROUTING -i eth0 -s $ADMIN -d $FW_eth0_ip -p tcp --dport $SSH -j DNAT --to-destination $WEB_eth0_ip
            iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport $SSH -m conntrack --ctstate NEW -j ACCEPT
            iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
            iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
            iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport $SSH -d $WEB_eth0_ip -j SNAT --to-source $FW_eth1_ip


            Few notes:



            • "..-s $ADMIN -d $FW_eth0_ip.." (1st row) - added only for security reasons - it means that only ADMIN IP can access SSH (if not needed you can delete it)


            • -m conntrack is the same as -m state

            • I recommend to change default port of SSH to another port, like 1xxxx (in /etc/ssh/sshd_config)

            • check List of TCP and UDP port numbers

            • I use port 15xx1 to access SSH on Firewall server, and 15xxx2 the Internal

            Terminal:



            # access firewall server
            $ ssh sancro@xx.xx.xx.xx -p 15xx1

            # access internal server
            $ ssh sancro@xx.xx.xx.xx -p 15xx2


            More details about used rules are perfectly described in mentioned tutorial.



            That's all from me, hope it will help you.






            share|improve this answer















            Based on this amazing DigitalOcean's tutorial about how to forward ports, I decided to re-write it here.



            I spent many hours of research about how this works.. I'm new to linux and beginnings aren't always easy.. Here is example of my servers and it's port forwarding:



            Firewall server (2 NIC cards) - network details:



            • Public IP address: xx.xx.xx.xx

            • Private IP address: yy.yy.yy.yy

            • Public interface: eth0

            • Private interface: eth1

            Internal (e.g. ssh, web) server (1 NIC card) - network details:



            • Private IP address: zz.zz.zz.zz

            • Private interface: eth0

            Solution:



            Enable packet forwarding in kernel:



            echo 1 > /proc/sys/net/ipv4/ip_forward


            Define variables:



            # Admin IP address (e.g. public home ip)
            ADMIN="aa.aa.aa.aa"

            # IP addresses of servers (e.g. in cloud):
            FW_eth0_ip="xx.xx.xx.xx"
            FW_eth1_ip="yy.yy.yy.yy"
            WEB_eth0_ip="zz.zz.zz.zz"

            # Services:
            SSH="22"
            HTTP="80"


            Iptables port forwarding (with -m conntrack):



            iptables -t nat -A PREROUTING -i eth0 -s $ADMIN -d $FW_eth0_ip -p tcp --dport $SSH -j DNAT --to-destination $WEB_eth0_ip
            iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport $SSH -m conntrack --ctstate NEW -j ACCEPT
            iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
            iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport $SSH -m conntrack --ctstate ESTABLISHED -j ACCEPT
            iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport $SSH -d $WEB_eth0_ip -j SNAT --to-source $FW_eth1_ip


            Few notes:



            • "..-s $ADMIN -d $FW_eth0_ip.." (1st row) - added only for security reasons - it means that only ADMIN IP can access SSH (if not needed you can delete it)


            • -m conntrack is the same as -m state

            • I recommend to change default port of SSH to another port, like 1xxxx (in /etc/ssh/sshd_config)

            • check List of TCP and UDP port numbers

            • I use port 15xx1 to access SSH on Firewall server, and 15xxx2 the Internal

            Terminal:



            # access firewall server
            $ ssh sancro@xx.xx.xx.xx -p 15xx1

            # access internal server
            $ ssh sancro@xx.xx.xx.xx -p 15xx2


            More details about used rules are perfectly described in mentioned tutorial.



            That's all from me, hope it will help you.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Apr 9 '17 at 18:37

























            answered Apr 8 '17 at 23:55









            sancrosancro

            412




            412





















                1














                Although this question is about iptables, in case you also have FirewallD running, here's how to access HTTP of the internal network.



                First allow http traffic in your internal server FirewallD:



                # firewall-cmd --permanent --add-service=http


                Then forward the http traffic from the external ip, to port 80 of the internal ip:



                # firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=10.0.0.11


                Same thing can be done for SSH service.






                share|improve this answer



























                  1














                  Although this question is about iptables, in case you also have FirewallD running, here's how to access HTTP of the internal network.



                  First allow http traffic in your internal server FirewallD:



                  # firewall-cmd --permanent --add-service=http


                  Then forward the http traffic from the external ip, to port 80 of the internal ip:



                  # firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=10.0.0.11


                  Same thing can be done for SSH service.






                  share|improve this answer

























                    1












                    1








                    1







                    Although this question is about iptables, in case you also have FirewallD running, here's how to access HTTP of the internal network.



                    First allow http traffic in your internal server FirewallD:



                    # firewall-cmd --permanent --add-service=http


                    Then forward the http traffic from the external ip, to port 80 of the internal ip:



                    # firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=10.0.0.11


                    Same thing can be done for SSH service.






                    share|improve this answer













                    Although this question is about iptables, in case you also have FirewallD running, here's how to access HTTP of the internal network.



                    First allow http traffic in your internal server FirewallD:



                    # firewall-cmd --permanent --add-service=http


                    Then forward the http traffic from the external ip, to port 80 of the internal ip:



                    # firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=10.0.0.11


                    Same thing can be done for SSH service.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Dec 24 '17 at 12:11









                    Noam ManosNoam Manos

                    13917




                    13917





















                        1














                        First of all, enable routing in the Linux gateway:



                        echo 1 > /proc/sys/net/ipv4/ip_forward


                        Then add the following rules with your network interface (i.e., eth1) and desired ports:



                        iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2
                        iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.1.2
                        iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
                        iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


                        Check your rules with iptables -L -v, the pkts and bytes columns will show you which rules are being matched.






                        share|improve this answer





























                          1














                          First of all, enable routing in the Linux gateway:



                          echo 1 > /proc/sys/net/ipv4/ip_forward


                          Then add the following rules with your network interface (i.e., eth1) and desired ports:



                          iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2
                          iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.1.2
                          iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
                          iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


                          Check your rules with iptables -L -v, the pkts and bytes columns will show you which rules are being matched.






                          share|improve this answer



























                            1












                            1








                            1







                            First of all, enable routing in the Linux gateway:



                            echo 1 > /proc/sys/net/ipv4/ip_forward


                            Then add the following rules with your network interface (i.e., eth1) and desired ports:



                            iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2
                            iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.1.2
                            iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
                            iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


                            Check your rules with iptables -L -v, the pkts and bytes columns will show you which rules are being matched.






                            share|improve this answer















                            First of all, enable routing in the Linux gateway:



                            echo 1 > /proc/sys/net/ipv4/ip_forward


                            Then add the following rules with your network interface (i.e., eth1) and desired ports:



                            iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2
                            iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.1.2
                            iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
                            iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


                            Check your rules with iptables -L -v, the pkts and bytes columns will show you which rules are being matched.







                            share|improve this answer














                            share|improve this answer



                            share|improve this answer








                            edited Sep 8 '18 at 10:01









                            Craig Bailes

                            34




                            34










                            answered Jan 1 '14 at 13:25









                            Gabriel TalaveraGabriel Talavera

                            1,1971917




                            1,1971917



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Server Fault!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f564445%2fhow-can-i-forward-the-http-and-ssh-port-to-my-internal-server-using-iptables%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                                Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

                                Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020