Archive for the ‘iptables’ Category

Allowing traffic on a paricular host for a differnet network.

September 10, 2010

Consider you have two networks – and Both reside behind firewall ( a gateway machine actually ).Now you want to allow everyone of to listen on only The steps are –

Basically you have to apply both way traffic with iptables on the gateway machine of network.

iptables -R FORWARD 1 -i eth0 -s  -d -j ACCEPT

iptables -R FORWARD 2 -i eth1 -s -d -j ACCEPT

Here, is the ip of gateway machine of 192.168 2.0/24 network.
Please make sure the correct interface ( ethN ) for in and out traffic of every host.

You can use the tcpdump command to verify the traffic flow working or not or where packets reject.

tcpdump -ni eth1 icmp


Redirecting port 80 traffic to port 8080

July 15, 2010

I open ports 80 and port 433 on my firewall.My Tomcat installation is listening at port 8080 and 8443 but to run tomcat on port 443 need root privilege. So simple solution to these is to redirect any request coming on port 80 to port 8080. Here is the trick.

iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

linux box as a router

March 17, 2010

Two scenario –

1. Private – Public
2. Private – Private ( inside your LAN)

1. Private – Public

a) Assign Public IP address to the Fast Ethernet Card with the followings;

IP Address ( change with your public IP address
Net Mask (Provided by the Internet service provider)
Default Gateway
Preferred DNS

b) Create a virtual IP address on this Fast Ethernet Card

Copy and paste the configuration file of the eth0 with a new name eth0:0
Assign a private IP Address like you have assigned the other computers in your local area network

IP Address (
Net mask (
Default Gateway (leave this blank)

c) Creating forwarding rules with iptables:

Delete and flush. Default table is “filter”. Others like “nat” must be explicitly stated.

iptables –F – Flush all the rules in filter and nat tables
iptables –t nat –F
iptables –delete-chain

Delete all chains that are not in default filter and nat table
iptables –table nat –delete-chain

# Set up IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

d) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

e) Create a route for internal packets:

route add -net gw dev eth0

Change with your Gateway IP Address

2. Private – Private


Your current net – and gateway/firewall –
Now wanna create a separate Lan and forward packet through to outside world using a box inside your network.

Choose a box you wanna turn it as router and follow the steps

a) IP setting will be as follows –
eth0 – (gw)
eth0:0 –
gw ( leave blank)

b) Then on gw machine ( make sure the followings –


iptables -t nat -A POSTROUTING -o eth0 -s -d ! -j SNAT –to-source

[ This will forward and reverse packets from gw network to outside world ]

And add a route for your lan –

route add -net gw

Also make sure your DNS allow query from outside your lan –

allow-query {;

c) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you go!! you are done! your 2.0 network will be able to talk to outside world through ->

Note: On your client machine ( say use as your default gateway and as nameserver.

If you want to restrict that none from 2.0/24 network can reach anyone of 1.0/24 network – except 1.1 then
add the following rules with your firewall –

iptables -I FORWARD -s -d -p all -j REJECT -o eth0
[ This will block all traffic of 1.0/24 lan from 2.0/24 lan ]

iptables -I FORWARD -s -d -p all -j ACCEPT -o eth0
[ only allow traffic for gw ]

iptables – port forwarding

January 30, 2010

My linux gateway server is the only one visible to the internet, while all other machines are in an internal subnet not visible to the outside internet, but can access the outside net using Iptables based Network Address Translation (NAT).

In this setup if I want to run a public service like httpd, not on the gateway server ( where it is visible to outside ) but on an internal machine ( which is not visible outside ) how do I make it available to the outside internet.To make the above scenario of exposing and internal machine’s service to outside we need to use port forwarding on the gateway server. Which is assigning a port on the gateway to accept all connections and forward it to the internal machines port where the service is listening to.

Let x.x.x.x be the IP address of the gateway server connected to the cable modem and , the IP address of the internal machine. And say we want to run a web server ( httpd ) on 192,168.0.2 on port 80 which should be avaialble to the outside internet. We can forward the port 80 on to port 80 of

Source: — forwarded to ->

Port Forwarding using Iptables
First set the rule,

iptables -t nat -A PREROUTING -p tcp -i eth1 –dst [public IP] –dport 80 -j DNAT –to-destination

-t, table
-A, Append rule to end of a chain
PREROUTING, a pre-defined “chain” rule available with iptables
-p, protocol
-i, Match “input” interface on which the packet enters
-o, Match “output” interface on which the packet exits
–dst, The flag –dst is an alias for the option -d
–dport, Tcp destination port
-j, Jump to the specified target chain when the packet matches the current rule
DNAT, Valid in POSTROUTING chain. Output
–to-destination, Destination address of packet

To view the rules applied with NAT tables –

iptables -t nat -vnL –line

Now to finally port forwarding –

iptables -I FORWARD 3 -o eth1 -s -j ACCEPT

Here 3 means line number three or rule three on NAT list

To delete an existing rule –

iptables -t nat -D PREROUTING 4

Here, 4 means line number 4 on NAT table.