[TriLUG] port forwarding

jeffj at ro.com jeffj at ro.com
Fri Jun 14 17:12:19 EDT 2002 

Chris Merrill wrote:
> I am going to transition my current firewall/web/mail/ftp/server
> to a new hardware box.  The old P-120 just doesn't have enough
> juice anymore.
> 
> Since I only have a few hours to dedicate here and there...I was
> wondering if I can set the new box up behind my exiting firewall
> and replace the services one at a time.  For instance, once I have
> Apache configured on the new box, forward port 80 on the firewall
> to port 80 on the new box.  Eventually, when all the services are
> configured and operating, then I disconnect the old firewall from
> the cable modem and connect the new one...for a painless transition.
> 
> Questions:
> 1. Is there a better way to approach the problem?

Not sure.

> 2. Is "port forwarding" the right term for this?  After doing
>    a quick google and finding the IPChains HOWTO and several
>    other docs, I got a litte confused about the terminology.

It can be done. To do it, make a script like the one below (careful with 
the long lines):

-----
#!/bin/sh
# make chains for the server
/sbin/iptables -N serverForward
/sbin/iptables -t nat -N serverPrerout

# setup HTTP external access
/sbin/iptables -t nat -A serverPrerout -d <extIP> -p tcp
	--dport 80 -j DNAT --to <intIP>
/sbin/iptables -A serverForward -p tcp --dport 80 -d <intIP>
	-j ACCEPT

# add the server's chains
/sbin/iptables -t nat -A PREROUTING -j serverPrerout
/sbin/iptables -I FORWARD -j serverForward
-----

<extIP> is the externally visible IP, and <intIP> is the internal IP. It 
does assume you are using NAT for a LAN, but it should be possible to 
modify it to avoid that, but you'll still be using D(estination)NAT.

Call this script after you have configured your firewall. Admittedly, it 
may need some work before it works for you, but I think it'll help.

> 3. Is IPChains the tool for this?  If not, what is?
>    The existing firewall is running RH7.  The new firewall
>    is running our shiny new copy of RH7.3

IPchains has been replaced with iptables for 2.4.x kernels, including 
RH7.2+.

--------------
Jeff Jackowski
http://ro.com/~jeffj/

More information about the TriLUG mailing list