Firewall FORWARD filters

Revision as of 14:32, 19 April 2015 by WikiFreak (talk | contribs) (IpTables script)


Port forwarding principle

The aim is to reach a server located behind the actual server we are working on.


Basic proxy

FW port forwarding - without NAT

In this case the target port number is the same as the source port.

This is a RISK because we exposed to Internet the schema of our Network.


Advanced proxy

FW port forwarding - with NAT


Here, the source and target port numbers are different. That's better but you need to maintain a 'IN / OUT ports matching table' as IT admin.



How to

To do a port forwarding you have to:

  • Allow some source IP / hosts to use forwarding
  • Create some forward target
  • Open the incoming port [input + output]
  • Register the target server and allow POST-ROUTING operations on it
  • Route the incoming port to the target server + port number


Proxy how-to


Requirements:

  • Enable port forwading
  • The current server must be able to reach the target {server,port}


IpTables script

You have to declare the following only ONCE in all your FW script:


Enable module

#### Requirement: enable port forwarding in general
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding


### Allow forward from IP@... 
$IPTABLES -A FORWARD -s 91.121.17.114 -j ACCEPT		# work
$IPTABLES -A FORWARD -s 5.39.81.23 -j ACCEPT	        # family VPN
$IPTABLES -A FORWARD -s 192.168.18.0 -j ACCEPT	        # home


### Open incoming ports [=from ports]...
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
 

### Open target ports [=to ports]...
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT


### Declare forward targets [=to]...
$IPTABLES -A POSTROUTING -d 192.168.18.2 -t nat -j MASQUERADE            # Email server
$IPTABLES -A POSTROUTING -d 192.168.18.5 -t nat -j MASQUERADE            # JEE server


### Redirect FROM (IP:port) TO (server:port)
$IPTABLES -A PREROUTING -t nat -p tcp --dport 25 -j DNAT --to 192.168.18.2:25
$IPTABLES -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 192.168.18.5:8080

Port forwarding VS proxy

Usually it's better to proxy than forward.

So if you can use the Apache2 proxy to redirect "http://mysite/myApp" to your sub-server Apache2 "/myApp" - DO IT !


My advice:

Only use port forwarding when there are no other choice.