LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 11-13-2007, 03:18 PM   #1
_kure_
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Rep: Reputation: 0
iptables port forwarding


Hello,

I'm trying to create this setup:

PC1 -> 8080:server -> 22:remotePC

Basically, forward incoming connection at port 8080 to a remote address port 22.

I have been half way successful.

Code:
iptables -t nat -I PREROUTING -p tcp -i eth0 -d *server*  --dport 8080 -j DNAT --to-destination *server*:22
Works, I can get ssh at port 8080 with 'ssh -p 8080 *server*'. However,

Code:
iptables -t nat -I PREROUTING -p tcp -i eth0 -d *server*  --dport 8080 -j DNAT --to-destination *remotePC*:22
doesn't seem to be routing. I believe the problem is that the server doesn't route to remote address for some strange reason.

iptables shouldn't be issue here, as everything necessary is allowed (I hope).
Code:
iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-apache (0 references)
target     prot opt source               destination

Chain fail2ban-couriersmtp (0 references)
target     prot opt source               destination

Chain fail2ban-postfix (0 references)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
I also tried both of these
Code:
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT

iptables -A FORWARD -p tcp -m state --state NEW -d *server* --dport 8080 -j ACCEPT
and none of them worked. Nmap says the port is filtered, but it shouldn't be an issue if I can connect to it when it forwards to local (server) port.

I hope you will help me.
 
Old 11-15-2007, 09:12 AM   #3
pingu_penguin
Member
 
Registered: Aug 2004
Posts: 50

Rep: Reputation: 15
did u enable packet forwarding ?

echo '1' > /proc/sys/net/ipv4/ip_forward
 
Old 11-15-2007, 11:22 AM   #4
_kure_
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by pingu_penguin View Post
did u enable packet forwarding ?

echo '1' > /proc/sys/net/ipv4/ip_forward
I did. But I already found the problem.

This guide (http://www.openpages.info/iptables/) mentions something other ones didn't.
Code:
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Unfortunately, I don't have this module compiled, my server is a virtual server, I deleted kernel sources long ago and it's probably a specifically patched version of 2.6.18 kernel, so now it's a question of getting the sources from the company admin, which is easy as I know what I need.


Thanks everybody for helping.
 
Old 11-15-2007, 12:35 PM   #5
jeenam
Member
 
Registered: Dec 2006
Distribution: Slackware 11
Posts: 144

Rep: Reputation: 15
You can SNAT instead of MASQUERADE. MASQUERADE uses more cpu time as well.

iptables -t nat -A POSTROUTING -o eth0 -d *server* --destination-port 22 -SNAT --to-source <eth0_ip>

Also, this is a bad idea (SNAT or MASQUERADE in this case) since all connections going to the *server* from any host will appear to come from the forwarding machine. If your box gets compromised via ssh the log will show that all ssh connections appeared to come from the box running iptables that forwards packets from 8080 to *server*:22.

Last edited by jeenam; 11-15-2007 at 05:23 PM. Reason: fixed typo
 
Old 11-15-2007, 03:53 PM   #6
_kure_
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Nice, these three worked like a charm.

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*
I don't mind getting compromised the computer I connect to via ssh, it's a school account I use to store documents, there is nothing to gain (except for me, because I cannot connect to that account from one specific location because of f****** firewall). Now is everything OK, thanks everybody!
 
0 members found this post helpful.
Old 05-23-2011, 12:38 AM   #7
cheers
Member
 
Registered: Oct 2010
Posts: 38

Rep: Reputation: 0
Quote:
Originally Posted by _kure_ View Post
Nice, these three worked like a charm.

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*
I don't mind getting compromised the computer I connect to via ssh, it's a school account I use to store documents, there is nothing to gain (except for me, because I cannot connect to that account from one specific location because of f****** firewall). Now is everything OK, thanks everybody!

The above commands not works for me..is there anything to do after these commands.
In my case PCI-->30279:server-->22:remote pc..( i will di ssh with port 30279 from PCI to servier ip and that shud connect tp remote ip)
i tried these below commands
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *PCI_ip* -d *server_ip* --dport 30279 -j DNAT --to *remote_ip*:22
iptables -t nat -A POSTROUTING -o eth0 -d *remote_ip* -j SNAT --to-source *PCI_IP*.


Pls..
 
Old 01-16-2012, 04:19 AM   #8
sunrised24
LQ Newbie
 
Registered: Jan 2012
Location: Chennai,INDIA
Distribution: Centos5.4,SuseLinux,Rhel5,Ubuntu 10.04
Posts: 27

Rep: Reputation: Disabled
Hi

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*


i folowed ur it never work to me
 
  


Reply

Tags
forwarding, iptables, masquerade, port, routing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
iptables - port forwarding satimis Linux - Networking 22 12-04-2006 09:44 AM
Forwarding a port using iptables xtremeclones Linux - Networking 1 11-18-2006 05:21 AM
port forwarding with iptables solletica Linux - Networking 5 03-12-2006 04:37 AM
IPTABLES and port forwarding freibuis Linux - Networking 5 04-21-2004 09:06 PM


All times are GMT -5. The time now is 01:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration