LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Port/Address forwarding with iptables with one network interface. (https://www.linuxquestions.org/questions/linux-networking-3/port-address-forwarding-with-iptables-with-one-network-interface-417225/)

Nextrastus 02-19-2006 02:08 PM
Port/Address forwarding with iptables with one network interface.
 
Due to circumstances involving my motherboard (the one that comes in an HP Pavillon 8700), I'm unable to put a second ethernet card in my linux computer.

Problem: Want to forward incoming internet traffic to another computer via iptables, using only one ethernet interface.

Information:
Routing computer's IP: 1.1.1.1
Destination computer's IP: 1.1.1.4
Port of interest: TCP 6112

Here's what I think is the best solution for my problem, but I'm 100% open to suggestions:

Packet on 6112 -> Routing Computer's eth0, reroute to lo0
Packet on 127.0.0.1:6112 -> reroute to eth0, 1.1.1.4:6112

Basically, I'm trying to get around one interface by routing incoming traffic on that port to my loopback device, then routing traffic on that interface back out eth0 to the proper computer on my network.

I've done a ton of research in this, and I would put the best sites I found, but I can't due to lack of sufficient posts :/

For whatever reason, I just can't get anything to work. Thank you in advance for any help.

-Nextrastus

Matir 02-19-2006 03:49 PM
How is the packet arriving at the routing computer? What's the source? Also, are you actually using the 1.1.1.0 IP Block? You should be using a valid RFC1918 reserved network block on a LAN, if you're performing NAT.

Nextrastus 02-19-2006 04:36 PM
So far, I've just been using 0/0 for the source, since I figured allowing anything would rule out a few problems, I could always lock it down better later anyways.

Network Setup:

Code:

1.1.1.254              1.1.1.253
+---+        +--------------------------------+
| D |        | Linksys Wireless Router WRT54G |
| S |        |                                |
| L |        |(LAN1)(LAN2)(LAN3)(LAN4)  (WAN)|
|  |        +--^-----^-----^-----------------+
| M |          |    |    |
| O |          |    |    |          +-------------+
| D |          |    |    |          + Windows Box |
| E |          |    |    +----------+ 1.1.1.4    |
| M |-----------+    |                +-------------+
|  |                |
+---+                |                +-----------+
                      +----------------+ Linux Box |
                                      |  1.1.1.1  |
                                      +-----------+
Basically, I've just got my modem forwarding what I need to my linux computer's IP. I'd like to eventually forward all incoming to my linux computer, and then redirect/forward it to anywhere else on my network I need to. I know it's not ideal to use a single cable for routing, but my max bandwidth usage for that is going to be 786k -- so I don't think it's gonna really matter. I would just use my modem's build in natting, but everytime you change something, you have to restart it. As you might guess, that is extremely annoying. So far, I've tried adapting other people's example NAT firewalling scripts, but have managed to fail miserably.

Here is my iptables stuff as is (as applicable to my question):

Code:
iptables -t nat -I PREROUTING --src 0/0 --dst 1.1.1.1 -p tcp --dport 6112 -j DNAT --to-destination 127.0.0.1
iptables -t nat -I PREROUTING --src 0/0 --dst 127.0.0.1 -p tcp --dport 6112 -j DNAT --to-destination 1.1.1.1
Obviously, that didn't work because I've got no interface translation anywhere in there, so I tried something like this to put it on the lo0. I changed the port to 6113, so that it wouldn't confuse itself with any other packets, and it would be easier to filter back out, I figured I could just retranslate it to 6112 before I sent it out. Basically, I don't have a clue how to do these rules, and most information about iptables is extremely confusing to me.

Code:
iptables -A FORWARD -s 0/0 -i eth0 -d 1.1.1.1 -o lo0 -p TCP --dport 6113 -j ACCEPT
I was thinking something like this might work:
Code:
iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 6113 -j DNAT --to-destination 1.1.1.4:6112
But it didn't :/ I'm sure it's something simple I'm missing, but I've yet to spot it. Most sites I've run into expect you to know everything there is to know about iptables, then they point a couple things out, and slap an example up. Usually it's overly complex for what I'm trying to achieve. Once I have it where I can forward traffic to my other machine, I'm just going to set it up to throw out all other incoming traffic.

(Granted, I've found two very good sites for reference, but they only really show how the command syntax is, they don't go into detail how one might apply such information)

This way, I can essentially move my NATing off of my DSL modem. Most things that require incoming ports are on my linux computer, I only really want to forward a handful of stuff to my windows machine, but in those cases where something needs to be quickly forwarded, I don't want to have to stop everything I'm doing, disconnect from everything, edit modem config, restart, etc.

Once again, many thanks for your time.

Nextrastus 02-19-2006 05:00 PM
Quote:
valid RFC1918 reserved network block on a LAN
As for the approved network blocks, I hate typing out more than I have to. 1.1.1.0 has always worked in the past for me. If I was doing this professionally, or for someone else, yes, I would go ahead and use something like 192.168.0.0, but since it's just for me, I didn't really see a point in caring.

vimal 05-02-2006 09:41 PM
Hello Nextrastus,

Why don't you create a virtual adapter and route all your data coming on the interface eth0 to the newly created one? Having created the virtual adapter, you can forward the incoming data by using NAT in iptables. I think this would work in your scenario, please update us with the details, in case.

Thanks,,,,

piotrm 09-18-2013 09:55 AM
Port/Address forwarding with iptables with one network interface
 
this is what was missing here : iptables -t nat -A POSTROUTING -j MASQUERADE

so what you acctualy should do is :

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -s 0/0 -p tcp -d x.x.x.x --dport 6112 -j DNAT --to y.y.y.y:6112
iptables -t nat -A POSTROUTING -j MASQUERADE

where x.x.x.x is the server IP you want to forward the port from , and y.y.y.y is the destination server IP

hope this helps
Piotr


All times are GMT -5. The time now is 05:42 PM.