Gentoo Wiki


Edge routers (such as firewalls) can receive incoming transmissions from the Internet and route the packets to the intended LAN node. At the same time, firewall/gateways can also route outgoing requests from a LAN node to the remote Internet service. This forwarding of network traffic can become dangerous at times, especially with the availability of modern cracking tools that can spoof internal IP addresses and make the remote attacker's machine act as a node on your LAN. To prevent this, iptables provides routing and forwarding policies that can be implemented to prevent aberrant usage of network resources.

Use case

Forwarding ports 80 and 8080 from WAN outside the firewall (eth0) to eth1 and onto LAN servers and vice versa. Port 2222 from outside is being forwarded to port 22 inside.

Tell the kernel that ip forwarding is OK

# echo 1 > /proc/sys/net/ipv4/ip_forward

The FORWARD policy controls where packets can be routed within a LAN.

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

Accepting forwarded packets via the firewall's internal IP device allows LAN nodes to communicate with each other; however they still are not allowed to communicate externally to the Internet. To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall's external device (in this case, eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's external networking device (-o eth0). POSTROUTING allows packets to be altered as they are leaving the firewall's external device. The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.

To get an internal network server available externally, you can use the -j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded. For example, if you wanted to forward incoming HTTP requests to your dedicated Apache HTTP Server server system at, run the following command:

iptables -t nat -A PREROUTING -p tcp -d --dport 80 \
   -j DNAT --to-destination

This rule specifies that the NAT table use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP.

This is the resulting file, where is the IP of the firewall as seen from within the WAN (but not from the Internet)

File: iptables-commands
:INPUT ACCEPT [11248:2706276]
:OUTPUT ACCEPT [2342:1389938]
-A FORWARD -i eth0 -p tcp --dport 80 -d -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 2222 -d -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT

:OUTPUT ACCEPT [164:11973]
:PREROUTING ACCEPT [9472:1517468]
-A PREROUTING -p tcp -d --dport 8080 -j DNAT --to-destination
-A PREROUTING -p tcp -d --dport 80 -j DNAT --to-destination
-A PREROUTING -p tcp -d --dport 2222 -j DNAT --to-destination


Based on [1]. Suggested reading: [2]

Retrieved from ""

Last modified: Wed, 09 Jul 2008 01:21:00 +0000 Hits: 4,233