LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables port forwarding (http://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forwarding-599401/)

_kure_ 11-13-2007 03:18 PM

iptables port forwarding
 
Hello,

I'm trying to create this setup:

PC1 -> 8080:server -> 22:remotePC

Basically, forward incoming connection at port 8080 to a remote address port 22.

I have been half way successful.

Code:

iptables -t nat -I PREROUTING -p tcp -i eth0 -d *server*  --dport 8080 -j DNAT --to-destination *server*:22
Works, I can get ssh at port 8080 with 'ssh -p 8080 *server*'. However,

Code:

iptables -t nat -I PREROUTING -p tcp -i eth0 -d *server*  --dport 8080 -j DNAT --to-destination *remotePC*:22
doesn't seem to be routing. I believe the problem is that the server doesn't route to remote address for some strange reason.

iptables shouldn't be issue here, as everything necessary is allowed (I hope).
Code:

iptables --list
Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Chain fail2ban-apache (0 references)
target    prot opt source              destination

Chain fail2ban-couriersmtp (0 references)
target    prot opt source              destination

Chain fail2ban-postfix (0 references)
target    prot opt source              destination

Chain fail2ban-ssh (0 references)
target    prot opt source              destination

I also tried both of these
Code:

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT

iptables -A FORWARD -p tcp -m state --state NEW -d *server* --dport 8080 -j ACCEPT

and none of them worked. Nmap says the port is filtered, but it shouldn't be an issue if I can connect to it when it forwards to local (server) port.

I hope you will help me.

ehawk 11-14-2007 04:12 PM

Do these links help?

http://www.linuxguruz.com/iptables/h...outing-15.html

http://scottr.org/files/presentation...networking.pdf

http://iptables-tutorial.frozentux.n...-tutorial.html

http://www.openpages.info/iptables/

http://www.linuxhomenetworking.com/w...Using_iptables

http://linux-ip.net/html/adv-multi-internet.html

pingu_penguin 11-15-2007 09:12 AM

did u enable packet forwarding ?

echo '1' > /proc/sys/net/ipv4/ip_forward

_kure_ 11-15-2007 11:22 AM

Quote:

Originally Posted by pingu_penguin (Post 2959822)
did u enable packet forwarding ?

echo '1' > /proc/sys/net/ipv4/ip_forward

I did. But I already found the problem.

This guide (http://www.openpages.info/iptables/) mentions something other ones didn't.
Code:

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Unfortunately, I don't have this module compiled, my server is a virtual server, I deleted kernel sources long ago and it's probably a specifically patched version of 2.6.18 kernel, so now it's a question of getting the sources from the company admin, which is easy as I know what I need.


Thanks everybody for helping.

jeenam 11-15-2007 12:35 PM

You can SNAT instead of MASQUERADE. MASQUERADE uses more cpu time as well.

iptables -t nat -A POSTROUTING -o eth0 -d *server* --destination-port 22 -SNAT --to-source <eth0_ip>

Also, this is a bad idea (SNAT or MASQUERADE in this case) since all connections going to the *server* from any host will appear to come from the forwarding machine. If your box gets compromised via ssh the log will show that all ssh connections appeared to come from the box running iptables that forwards packets from 8080 to *server*:22.

_kure_ 11-15-2007 03:53 PM

Nice, these three worked like a charm.

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*

I don't mind getting compromised the computer I connect to via ssh, it's a school account I use to store documents, there is nothing to gain (except for me, because I cannot connect to that account from one specific location because of f****** firewall). Now is everything OK, thanks everybody!

cheers 05-23-2011 12:38 AM

Quote:

Originally Posted by _kure_ (Post 2960261)
Nice, these three worked like a charm.

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*

I don't mind getting compromised the computer I connect to via ssh, it's a school account I use to store documents, there is nothing to gain (except for me, because I cannot connect to that account from one specific location because of f****** firewall). Now is everything OK, thanks everybody!


The above commands not works for me..is there anything to do after these commands.
In my case PCI-->30279:server-->22:remote pc..( i will di ssh with port 30279 from PCI to servier ip and that shud connect tp remote ip)
i tried these below commands
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *PCI_ip* -d *server_ip* --dport 30279 -j DNAT --to *remote_ip*:22
iptables -t nat -A POSTROUTING -o eth0 -d *remote_ip* -j SNAT --to-source *PCI_IP*.


Pls..

sunrised24 01-16-2012 04:19 AM

Hi

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*


i folowed ur it never work to me


All times are GMT -5. The time now is 09:30 PM.