[H-GEN] IPTables port forwarding

Stuart Longland stuartl at longlandclan.hopto.org
Sat Apr 19 02:58:48 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bradley Marshall wrote:
| ...For port
| forwarding, you need something like:
|
| $IPTABLES -t nat -A PREROUTING -i $EXTIF -o $INTIF -p tcp --dport 5206
- -j DNAT --to $INTBOX
| $IPTABLES -t nat -A PREROUTING -i $EXTIF -o $INTIF -p udp --dport 5206
- -j DNAT --to $INTBOX
|
| where $INTBOX is the IP of your internal box.  I've used rules like this
| successful to let people connect into internal game servers, forward for
| webservers etc.

Right, this might be useful for what I'm trying to set up.
I'd like to be able to make our IRC & News server visible to Brisbane
Mesh, so that people on the mesh can chat with people on the internet, etc.

IRC is running on port 6667 and NNTP is running on port 8119 on the
server 192.168.5.1.  So, on my mesh box, 192.168.0.2 I have to do the
following:

For IRC:

iptables -t nat -A PREROUTING -i $INTIF -o $EXTIF -p tcp --dport 6667 -j
DNAT --to 192.168.5.1:6667
iptables -t nat -A PREROUTING -i $INTIF -o $EXTIF -p udp --dport 6667 -j
DNAT --to 192.168.5.1:6667

For NNTP:
iptables -t nat -A PREROUTING -i $INTIF -o $EXTIF -p tcp --dport 119 -j
DNAT --to 192.168.5.1:8119
iptables -t nat -A PREROUTING -i $INTIF -o $EXTIF -p udp --dport 119 -j
DNAT --to 192.168.5.1:8119

I'm using INTIF/EXTIF because I always get eth0 and eth1 confused (to
add to my confusion, Slackware saw them the other way around to Red
Hat).  One is a 3COM EtherLink XL 10/100 Mbps - INTIF (ip:
192.168.0.2/24) and the other is a Acer ALN-201 10Mbps (aka. ne2kpci) -
EXTIF (ip: 10.160.34.1/28)

Now I can guess what the obvious question is:  Why am I running NNTP on
port 8119, and how come it's visible on port 119 from the 'net?

I'm using the Papercut NNTP server which is simply a Python script that
behaves like an NNTP server, grabbing its articles from a MySQL
database.  For it to bind to port 119, it would need to run as root, or
at least bind as root then switch users.  Since papercut isn't that
advanced, the safest bet was to run it on port 8119 (which is over the
1024 threshold), therefore it runs as user 'papercut'.  (I'll probably
make it run chrooted when I figure out how)

It's visible on port 119 from the internet, because the machine you see
from the internet, 202.47.55.78, is a small ADSL router (D-Link
DSL-504).  It's got a feature to allow me to forward ports onto internal
machines.  I'd say internally, it uses something like the above commands
to do NAT, but exactly how it does it I wouldn't know.

IRC also runs as another user, along with its bot (Perlbot).  Nothing is
unusual here because the usual port for IRC is 6667, so nothing changes.

- --
+-------------------------------------------------------------+
| Stuart Longland           stuartl at longlandclan.hopto.org |
| Brisbane Mesh Node: 719             http://stuartl.cjb.net/ |
| I haven't lost my mind - it's backed up on a tape somewhere |
| Griffith Student No:           Course: Bachelor/IT @ Nathan |
+-------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+oPOoIGJk7gLSDPcRAlxjAJ4+4mtPbLDjz3UWGHSOnKXLHEAOQwCcCcBP
FvNhzYRBnK6hfvGKB2cb6n4=
=F1JE
-----END PGP SIGNATURE-----


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list