How to forward traffic through Linux box except requests to the box itself?

Question

I have an Ubuntu box with IP forwarding enabled and a very simple iptables configuration to allow all packets from within the LAN to be forwarded:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -I FORWARD -s 192.168.4.0/24 -j ACCEPT

This works fine, except the SMB shares on the box no longer work, presumably because the packets that end with the box itself as a destination are also being forwarded.

Is there a simple solution so that any TCP connection requests to the box itself will not be forwarded, only requests to external IP addresses?

Gal Weiss · Answer 1 · 2023-05-22T00:54:03.467

The FORWARD chain is only called for traffic that was forwarded, IE - the local machine is not its destination, so your rule doesn't have any effect on this kind of traffic, the place you should be looking for the problem is the INPUT chain, which handles traffic that is aimed for the local machine itself.

use the -S command or -L to query the INPUT chain:

iptables -S INPUT

look for the chain policy (starts with -P) and see if this is a drop or accept policy, if this is a drop policy you may need to change it or add an explicit rule to allow SAMBA in. This rule would probably do the work:

iptables -A INPUT -p tcp --dport 445 -j ACCEPT

see this guide for a few examples how to do it

How to forward traffic through Linux box except requests to the box itself?

1 Answers1