Firewall FORWARD filters

Revision as of 14:07, 8 August 2014 by WikiFreak (talk | contribs) (Created page with "Category:Linux =Port forwarding principle= The aim is to reach a server located behind the actual server we are working on. ==Basic proxy== File:FW_port_forwarding...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Port forwarding principle

The aim is to reach a server located behind the actual server we are working on.


Basic proxy

FW port forwarding - without NAT

In this case the target port number is the same as the source port.

This is a RISK because we exposed to Internet the schema of our Network.


Advanced proxy

FW port forwarding - with NAT


Here, the source and target port numbers are different. That's better but you need to maintain a 'IN / OUT ports matching table' as IT admin.



How to

To do a port forwarding you have to:

  • Allow some source IP / hosts to use forwarding
  • Create some forward target
  • Open the incoming port [input + output]
  • Register the target server and allow POST-ROUTING operations on it
  • Route the incoming port to the target server + port number


Proxy how-to


Requirements:

  • Enable port forwading
  • The current server must be able to reach the target {server,port}


IpTables script

You have to declare the following only ONCE in all your FW script:


Enable module 

#### Requirement: enable port forwarding in general
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding


### Allow forward from IP@... 
$IPTABLES -A FORWARD -s 91.121.17.114 -j ACCEPT		# work
$IPTABLES -A FORWARD -s 5.39.81.23 -j ACCEPT	        # family VPN
$IPTABLES -A FORWARD -s 192.168.18.0 -j ACCEPT	        # home


### Open incoming ports [=from ports]...
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
 

### Declare forward targets [=to]...
$IPTABLES -A POSTROUTING -d 192.168.18.2 -t nat -j MASQUERADE            # Email server
$IPTABLES -A POSTROUTING -d 192.168.18.5 -t nat -j MASQUERADE            # JEE server



### Redirect FROM (IP:port) TO (server:port)
$IPTABLES -A PREROUTING -t nat -p tcp --dport 25 -j DNAT --to 192.168.18.2:25
$IPTABLES -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 192.168.18.5:8080



Port forwarding VS proxy

Usually it's better to proxy than forward.

So if you can use the Apache2 proxy to redirect "http://mysite/myApp" to your sub-server Apache2 "/myApp" - DO IT !


My advice:

Only use port forwarding when there are no other choice.

Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Firewall_FORWARD_filters&oldid=917"