Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IPTables and Port Forwarding?

Cliff posted more than 12 years ago | from the finding-the-right-reference dept.

Mandriva 41

$hy_guy asks: "I have been totally striking out finding some info on how to do port forwarding in Linux. I am currently running Mandrake 8.1 as my router and i would like to forward a particular port to another machine on my LAN. I'm pretty sure I have to use iptables but I have been very unsuccesful at the proper syntax. I have scoured through Google and I have not really found any useful info. I would appreciate just a link or something to point me the correct direction. Thanks for the help" I know many of you may think this is an FAQ, but it seems that IPTables confuses many people as this is not the first time this question has hit the bin. If someone has a good general reference on the use of IPTables, please share.

Sorry! There are no comments related to the filter you selected.

Fist Sport (-1)

ringbarer (545020) | more than 12 years ago | (#2890759)

In the attempt to overcome my "thingness," Mina subjected me to enemas, branding and shit blistering. This last ordeal consisted of Mina injecting her shit underneath the surface of my skin until a blister formed. I was ordered to allow the blister to fester for days until she would order me to tear it open with my own teeth. As she berated me verbally and beat me with a television antenna I would lick my wound until it was clean of all pus and shit. We engaged in this drama a number of times, the blisters becoming bigger and more numerous each time. It wasn't long before I became sick. A painful and persistent nausea became a constant presence for me, but Mina refused to allow me to see a doctor. She would call me a "fucking little baby," and force me to lick her anus while she sat on my face and farted. She felt smooth and slick as she slid back and forth over my nose, and the sensation of her soft brown thighs gripping my head threw me into fits of excitement. But this highly pleasurable experience became associated, more and more, with the stench and filth of her bowel excretions. I could not separate the pleasure of having sex with Mina from the displeasure of being forced to wallow in her excrement. Being a helpless mastabatory aid and shit receptacle became an important and indispensable part of the sexual act with her. The more of her shit that I was forced to eat and have injected under my skin, the sicker I became. Yet I could not stop seeing her. More to the point, I did not want to stop seeing her. I craved the humiliation that she subjected me to in my pursuit of nothingness. I was becoming less and less of what I had been by virtue of the fact that I was becoming less and less of anything. Soon I would disappear and never experience pain again.

Check MonMotha's IPTables scripts... (2, Informative)

Evro (18923) | more than 12 years ago | (#2890789)

I use MonMotha's IPTables script [] to build my firewall. You tell it which ports to leave open and it closes the rest. It also has stuff in there for rate limiting and stuff, I think. According to that page, the beta does port forwarding.

Docs abound (4, Informative)

jmd! (111669) | more than 12 years ago | (#2890798)

Netfilter is extremely well documented... this poster must not have tried very hard.

Home page: []

FAQs: er-faq.html []

Excellent HOWTOs: HOWTO []

It's "Ask Slashdong" (0, Funny)

ringbarer (545020) | more than 12 years ago | (#2890816)

No-one EVER tries very hard.

"Ask Slashdot: Has anyone found my car keys?"

google and howto (2, Redundant)

gus goose (306978) | more than 12 years ago | (#2890851)

So, I Googled [] , then chose the 2.4 NAT Howto, Section 6.2 []

Why is that so hard?


Re:google and howto (4, Informative)

Raptor CK (10482) | more than 12 years ago | (#2890865)

It seems simple, but I'll bet that today's kids forget to use "howto" as a search parameter.

Go ahead, Google "iptables port forwarding" and see how much worse those results are.

This just goes to show that we need more basic user education. RTFM should be preceded by RTFH (Read The Fucking HOWTO!) so that people at least know what to look for when they're stumped.

Kids these days...

Re:google and howto (-1)

ringbarer (545020) | more than 12 years ago | (#2891045)

Or just give them a REAL Operating System, and not a toy that requires lots of intricate little text parameters to work.

Point and Click IS the way of the future, Linux Losers. And by the time you've got THAT right, Microsoft will have developed a whole new paradigm for you to slavishly follow.

Re:google and howto (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2891518)

You see the kids, they listen to the rap music,
which gives them the brain damage.

With their hiping and their hoping,
and their biping and their boping.

So they don't know what the Jazz,
is all about!

pffff (3, Informative)

Smoking (24594) | more than 12 years ago | (#2890864)

This one's a bit easy:

Step one: go to []

step two: find the HOWTO section

step three: fifth line of the HTML version of the NAT-HOWTO reads like this: This document describes how to do masquerading, transparent proxying, port forwarding, and other forms of Network Address Translations with the 2.4 Linux Kernels.

step four:Wait, there's no step four... there's no step four!


'tis Quite Easy (5, Informative)

Jester998 (156179) | more than 12 years ago | (#2890876)

Heh... by coincidence, I just finished a project for the local hospital... I was coding a full-featured firewall based on Linux, and it had to integrate seamlessly with a WinNT network, including limiting 'net access by user name, and it had to work totally transparently for the users. Since a number of people in the hospital use Remotely Anywhere to connect from home, port forwarding became an issue for us.

The syntax for port forwarding is:

iptables -t nat -I PREROUTING -p <protocol> --dport <destination port> -j DNAT --to-destination <destination IP>:<destination port>

Note that you can remap port numbers, too, if need be (ie. traffic coming in on port 80 is redirected internally to port 5000).

Make sure you have the destination NAT target compiled in (I think it might be, by default), and make sure you enable all the NAT stuff you need.

Limiting access by username (0)

Anonymous Coward | more than 12 years ago | (#2891137)

Out of curiousity, (since I may be running into a similar scenario myself), how did you go about tying the access to the login?


(Posting anonymously as I'm sure this'll get modded off-topic. :)

Re:Limiting access by username (2, Informative)

Lord Sauron (551055) | more than 12 years ago | (#2891214)

He apparently did it by IP address.
But there's another way:

This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

--uid-owner userid
Matches if the packet was created by a process with the given effective user id.

--gid-owner groupid
Matches if the packet was created by a process with the given effective group id.

--pid-owner processid
Matches if the packet was created by a process with the given process id.

--sid-owner sessionid
Matches if the packet was created by a process in the given session group.
And with Iptables 1.2.5 [] you can even establish quotas per user.

Re:Limiting access by username (1)

murreyaw (96319) | more than 12 years ago | (#2891716)

Thanks for the info. Very Helpful. I just finished a similar project.

Re:Limiting access by username (0)

Anonymous Coward | more than 12 years ago | (#2891731)

That module only works for locally generated packets, and unless everyone uses the same machine, it's pretty useless. I guess you could assign them a UID and run a proxy under that UID, but the proxy would still have to verify their username.

Re:Limiting access by username (1)

Jester998 (156179) | more than 11 years ago | (#2901363)

Yes, that method works, too, but the *ID matches only processes/users/groups on the local machine, IIRC.

Yes, I did actually do the port forwarding by IP, since anyone who has Remotely Anywhere access has a static IP on their station.

But the outgoing connections are limited by NT username.

Re:'tis Quite Easy (1)

jmorey (38458) | more than 12 years ago | (#2894980)

I would be quite interested in how you limited net access by user name if it was the user name of the logged in user that was being used. I am currently trying to do this, restrict net access based on user instead of physical hardware, on my home network (Win98 and Win2000 clients, Linux firewall) but have not been successful.

Re:'tis Quite Easy (1)

Jester998 (156179) | more than 11 years ago | (#2901412)

Well, there's two ways, each with their disadvantages: You can either use a modified 'nbtstat' (from Samba), or you can have a 'finger'-style daemon running on all the machines.

The 'nbtstat' method has a few disadvantages, including the fact that if a user logs onto two stations at once, only the most recently logged-on station will return a user name, and also that the returned ID codes (0x03) are the same for machine name and username... ;(

The daemon method is more-or-less foolproof, but you need to deploy all the daemons... easy if you have login scripts set up from a centralized server, but a pain in the ass if you don't. Plus, you'd need to write the daemon software. Shouldn't be more than 100 lines or so (at most).

In either case, you have to queue packets to userspace by using the appropriate kernel module (ip_queue, IIRC), and a QUEUE target in your iptables rules.

Took me a while to figure out, too, and you have to decide which model is best for your network.
Either way, you basically need to write at least SOME code, so this is not for the faint of heart!

Good luck!

Here's how to forward a port. (1)

chakradeo (49981) | more than 12 years ago | (#2890905)

iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 80 -j DNAT --to

(To forward port 80 to on LAN. eth0 is your external interface)

Linux advanced routing how-to (2, Informative)

eufaula (163352) | more than 12 years ago | (#2890919)

if you want to get into the kernel's routing abilities, check 2.4routing.html [] . this site is _the_ place to go for info on the subject. But if you want to keep it simple, stay with the suggested netfilter sites.

Here's how (4, Informative)

jquirke (473496) | more than 12 years ago | (#2890923)

Yeah it's not as obvious as first, but it's actually pretty simple.

OK here's an example: our gateway is with lan interface eth0 and internet interface eth1. We want to redirect port 21 (FTP) to the machine

First of all, we need to add a rule matching incoming data to port 21. We use the PREROUTING chain in the NAT table:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination

This says: in the network address translation table and the chain that deals with incoming data prior to routing, and if the data is coming in from the internet and wants to go to TCP port 21 (ftp), DNAT (destination network address translate) it to transparently make it go to

Here's a generic template:

iptables -t nat -A PREROUTING -i [net interface] [selection rules - proto, port] -j DNAT --to-destination [ip on lan]

You can also redirect to a different port number, in the above example to redirect to port 321 it would be:


As for this being an FAQ, I am aware of no such references on IPTables, and it doesn't matter. I think the manual page provides more than sufficient information to get you started. If you don't understand it, then you should not be administering a gateway of any kind!

Re:Here's how (1)

Sendy (31825) | more than 12 years ago | (#2895053)

Of course, most of the time you'll have the default policy for FORWARD on DROP, or something. And you'll have SNAT from the inside ACCEPT(ed).

Now, you have to add a FORWARD ACCEPT statement (in the default table) like this:
iptables -A FORWARD -i eth1 -p tcp -d --dport 21 -j ACCEPT

Another thing, is that for ftp traffic to work, you'll need an state of RELATED to be entered somewhere.

Re:Here's how (2)

man_ls (248470) | more than 12 years ago | (#2908315)

Well written. I saved this comment as a text file in case I'll ever need to use it.

My setup... (2)

kilgore_47 (262118) | more than 12 years ago | (#2891002)

I spent a while fooling with various IPTables scripts, but finnally settled on the gpl'd shorewall [] package.

It handles all my iptables configuration, including NAT with port forwarding.

Linux Journal (1)

fuzzbrain (239898) | more than 12 years ago | (#2891037)

There was a good article in September 2001 issue of Linux Journal. Scripts are available at

Re:Linux Journal (2)

crow (16139) | more than 12 years ago | (#2891659)

See [] for another Linux Journal article on setting up a firewall with various features including port forwarding. This article predates the 2.4 kernel, so it's not relevant to iptables, but if you're running a 2.0 or 2.2 kernel, you should find an example there.

I just ran across it today when setting up a network. (You would think I would have remembered, considering that I wrote the article.)

samba (0, Troll)

jjshoe (410772) | more than 12 years ago | (#2891042) has the howto

why dont you guys post something new? something informative?

FwBuilder ROCKS ! (2, Interesting)

Bitsy Boffin (110334) | more than 12 years ago | (#2891121)

If you have X running, not necessarily on your firewall (you just use fwbuilder to "compile" a script and run the script on the firewall box) then I can heartily recommend fwbuilder [] .

It's a totally object based graphical tool for building a firewall. You can just drag and drop "services" (ports) to create port mappings, drap and drop machines, other firewalls, networks, etc to determin who gets to do what.

Has a nice little druid in it to get you a working setup that you can modify to better suit your needs.

Really. Check it out.

Re:FwBuilder ROCKS ! (1)

The Whinger (255233) | more than 12 years ago | (#2893335)

I agree - fwbuilder is really good. If iptables confuses you have a play with this little beauty and then of course read over the generated rules. It will all make a lot more sense ;).

make patch-o-matic (1)

Lord Sauron (551055) | more than 12 years ago | (#2891168)

Besides standard iptables functions, you can easily patch your kernel and add extra features.
Just download iptables [] , uncompress it, and run 'make patch-o-matic', provided you have a source tree in /usr/src/linux. Then you can choose wich patches to apply. The ones I'm using are:

The NETMAP patch:
Author: Svenning Soerensen
Status: Experimental

This adds CONFIG_IP_NF_TARGET_NETMAP option, which provides a target for the nat table. It creates a static 1:1 mapping of the network address, while keeping host addresses intact. It can be applied to the PREROUTING chain to alter the destination of incoming connections, to the POSTROUTING chain to alter the source of outgoing connections, or both (with separate rules).


iptables -t nat -A PREROUTING -d -j NETMAP --to
iptables -t nat -A POSTROUTING -s -j NETMAP --to


The TTL patch:
Author: Harald Welte
Status: Stable, needs new checksum handling
This adds CONFIG_IP_NF_TARGET_TTL option, which enables the user to set the TTL value of an IP packet or to increment / decrement it by a given value.


The iplimit patch:
Author: Gerd Knorr
Status: ItWorksForMe[tm]

This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).


# allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT

# you can also match the other way around: iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 --iplimit-mask 24 -j REJECT


The random patch:
Author: Fabrice MARIE
Status: Works For Me.

This option adds CONFIG_IP_NF_MATCH_RANDOM, which allow you to match packets randomly following a given probability.

Suppported options are:

[--average] percent will match randomly packets with a probability of 'percent' default is 50%


The string patch:
Author: Emmanuel Roger
Status: Working, not with kernel 2.4.9
This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to match a string in a whole packet.

and iptables 1.2.5 , wich I haven't compiled yet, so cannot tell for sure, has something that seems to be awesome... New quota match to have fixed IP quotas

Re:make patch-o-matic-Useful? (0)

Anonymous Coward | more than 12 years ago | (#2892466)

All very nice, but what real-world capabilities does this give a user, besides bragging rights?

Detailed instructions, Using mdk 8.1 (3, Informative)

hack0rama (253610) | more than 12 years ago | (#2891412)

Pleasee see my page [] with detailed instructions on how I did port forwarding on my Mandrake 8.1 box, which uses Bastille scripts to generate the Iptable rules.


redcliffe (466773) | more than 12 years ago | (#2892060)

Anyone tried using a transparent SOCKS proxy for this task? I know there is one in Debian, but does anyone know how well it works? I'd basically like to be able to get Netmeeting and P2P to work from behind my firewall when I'm trying to connect to someone else who's behind a firewall. Thanks,


Re:SOCKS (1)

sirsnork (530512) | more than 12 years ago | (#2893353)

Seems to work quite well. I've used it for ICQ, IRC and various other things. Nothing overly intensive mind you.

Re:SOCKS (2)

redcliffe (466773) | more than 12 years ago | (#2893620)

Is there a good HOWTO for setting it up with 2.4 somewhere? Thanks,


Here's Mine (1)

jchawk (127686) | more than 12 years ago | (#2893316)

What there aren't enough of is plan old examples. Here is my configuration. xxx's replace personal info. :)

iface eth1 inet static

iface eth0 inet static
up /sbin/iptables -t nat -F
up /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 2021 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 2080 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 33022 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 33021 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25022 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 5900 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 5801 -j DNAT --to
up /sbin/iptables -t nat -A PREROUTING -p tcp --dport 5901 -j DNAT --to

What Most People need.. (0)

FiberZen (524596) | more than 12 years ago | (#2894574)

What most peeps need is a combined gateway+firewall solution, for their home lan and hook up a CM/xDSL for uplink to internet. Question is has anyone utilized the new STATEFULL features of ipchains to allow more apps/games etc to work in this kind of setup ?

Re:What Most People need.. (0)

FiberZen (524596) | more than 12 years ago | (#2894641)


so Of course I meant IPTABLES in the Q !

Re:What Most People need.. (0)

Anonymous Coward | more than 12 years ago | (#2904731)

ABZ<P STYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >CKY

Re:What Most People need.. (0)

Anonymous Coward | more than 12 years ago | (#2904754)


Re:What Most People need.. (0)

Anonymous Coward | more than 12 years ago | (#2904766)

A">DDD<P><P<>>P><P STYLE="left:expression(eval('alert(\'exed\');windo w.close()'))">ACCC

gShield is very good (2)

sharkey (16670) | more than 11 years ago | (#2901055)

gShield [] is a nice package that uses well-commented config files and scripts to setup an iptables firewall. Quote from page:

support for multiple NATs, configurable public service access, access control lists, routable protection, DMZ support, port-forwarding, MAC-specific filtering, configurable outgoing filtering, blacklists, support for transparent proxy, QoS marking of common transports and more.

I use it at work and at home. One caveat since you are using Mandrake: gShield.rc is not a SysVinit script, so /sbin/ntsysv (or whatever SysVinit config tool you are using)will not be able to configure it into runlevels without modification. Personally, I am running it out of rc.local.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?