Firewall FORWARD filters
Contents
Port forwarding principle
The aim is to reach a server located behind the actual server we are working on.
Basic proxy
In this case the target port number is the same as the source port.
This is a RISK because we exposed to Internet the schema of our Network.
Advanced proxy
Here, the source and target port numbers are different. That's better but you need to maintain a 'IN / OUT ports matching table' as IT admin.
How to
To do a port forwarding you have to:
- Allow some source IP / hosts to use forwarding
- Create some forward target
- Open the incoming port [input + output]
- Register the target server and allow POST-ROUTING operations on it
- Route the incoming port to the target server + port number
Requirements:
- Enable port forwading
- The current server must be able to reach the target {server,port}
IpTables script
You have to declare the following only ONCE in all your FW script:
Enable module
#### Requirement: enable port forwarding in general
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
### Allow forward from IP@...
$IPTABLES -A FORWARD -s 91.121.17.114 -j ACCEPT # work
$IPTABLES -A FORWARD -s 5.39.81.23 -j ACCEPT # family VPN
$IPTABLES -A FORWARD -s 192.168.18.0 -j ACCEPT # home
### Open incoming ports [=from ports]...
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
### Open target ports [=to ports]...
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT
### Declare forward targets [=to]...
$IPTABLES -A POSTROUTING -d 192.168.18.2 -t nat -j MASQUERADE # Email server
$IPTABLES -A POSTROUTING -d 192.168.18.5 -t nat -j MASQUERADE # JEE server
### Redirect FROM (IP:port) TO (server:port)
$IPTABLES -A PREROUTING -t nat -p tcp --dport 25 -j DNAT --to 192.168.18.2:25
$IPTABLES -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 192.168.18.5:8080
Port forwarding VS proxy
Usually it's better to proxy than forward.
So if you can use the Apache2 proxy to redirect "http://mysite/myApp" to your sub-server Apache2 "/myApp" - DO IT !
My advice:
Only use port forwarding when there are no other choice.