Friday, January 28, 2011

Port forwarding with iptables and dhcpd

The setup: I have a Linux (Gentoo, if that makes a difference) box that serves as a gateway for the whole apartment. This box does its NAT-magic with iptables and dhcpd.

The problem: I have a certain computer that I want to have a port forwarded to (for torrents, if, again, there's a difference).

I have just enough Linux administration skills to read howtos and get stuff configured properly (eventually), but the howtos I found for my case were too unclear and seemed to be unnecessarily complex.

For what I've gathered, my problem is twofold: getting the dhcpd reliably assign a certain static IP to the computer I want, and then getting iptables configured for the port forwarding.

Could someone give me a definite, step-by-step guide in how to do this? I'm sure I'm not the only one wanting to do this...


Edit: My versions of the software are:

# iptables --version
iptables v1.4.0

# dhcpd --version
isc-dhcpd-V3.1.1-Gentoo
  • iptables -t nat -I PREROUTING -s ! {internal-network} -d {public-address} -p tcp --dport {port-on-public-address} -j DNAT --to-dest {internal-address}

    where:

    • internal-network is the IP address that represents your network, i.e. 192.168.1.0
    • internal-address is the IP address that represents the host you want to expose, i.e. 192.168.1.2
    • public-address is the IP address of the interface that is facing your ISP
    • port-on-public-address is the port number that traffic would arrive at if your internal computer could see it; note that this rule does not change the port number as it forwards, it simply passes the packet along

    Note the space between the -s, the exclaimation mark, and {internal-network}, be sure to have a space on both sides.

  • To get dhcp to reliably assign a certain static IP to the computer you want, the usual thing to do is to look into how to tell your dhcp server (whichever one you're running) to statically map a mac address to an IP address. This will make it always hand out the same IP (that you specify) to that mac address.

    ISC dhcp needs a config stanza like

    host mycomputer {
      hardware ethernet 00:12:34:56:78:9A;
      fixed-address 192.168.1.10;
    }
    

    dnsmasq needs a line like:

    dhcp-host=00:12:34:56:78:9A,192.168.1.10
    

    whose details are specified in the manpage.

    where:

    • mycomputer is your computer's hostname
    • 00:12:34:56:78:9A is your computer's mac address
    • 192.168.1.10 is the IP you want to be always assigned to that mac address

    Once that's done, you now have a 'static' IP to do your port forwarding to. To do this you want, as @Avery Payne says, to do:

    iptables -t nat -I PREROUTING -s ! {internal-network} -d {public-address} -p tcp --dport {port-on-public-address} -j DNAT --to-dest {internal-address}
    

    where:

    • internal-network is the IP address that represents your network, i.e. 192.168.1.0
    • internal-address is the IP address that represents the host you want to expose, i.e. 192.168.1.10
    • public-address is the IP address of the interface that is facing your ISP
    • port-on-public-address is the port number that traffic would arrive at if your internal computer could see it; note that this rule does not change the port number as it forwards, it simply passes the packet along

    Note the space between the -s, the exclamation mark, and {internal-network}, be sure to have a space on both sides.

    Henrik Paul : I added software/version information to the question
    Avery Payne : The feature is present in all versions of IPTables. The ISC DHCP service should also support the features you need as well. As far as software revisions go, you're fine.
    From pjz

0 comments:

Post a Comment