LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
 
Search this Thread
Old 02-20-2013, 07:59 AM   #1
Spetsnaz
LQ Newbie
 
Registered: Feb 2013
Posts: 16

Rep: Reputation: Disabled
Unhappy How to portforward with iptables?


I currently installed openvpn on CentOS 6 64bit and everything is working fine but I want to portforward a client "user" so they can use that port here is what i thought it might work

Code:
iptables -t nat -A PREROUTING -p udp -d SERVERIP --dport 3074 -j DNAT --to-destination 10.8.0.6:3074
Which is currently not even doing anything

[root@RUVPN ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@RUVPN ~]#

Last edited by Spetsnaz; 02-20-2013 at 08:01 AM.
 
Old 02-21-2013, 12:35 AM   #2
sevs
Member
 
Registered: Jul 2008
Location: Ukraine, Kharkov
Distribution: debian, knoppix, mandriva, asplinux, altlinux
Posts: 110

Rep: Reputation: 20
I am doing portforwarding in such way:
Code:
IPTABLES=`which iptables`

NET_FACE="eth2"
LAN_FACE="eth3"
PWEB="80"
EJ_SRV="192.168.3.2"
LAN_NET="192.168.3.0/24"
SRV_IP="192.168.3.1"
EJ_PWEBIN="8080"

# EJ_SRV host in in inner network LAN_NET connected to LAN_FACE interface.
# prepare packages incoming on NET_FACE interface on EJ_PWEB port to be forwarded to EJ_SRV host on PWEB port.
$IPTABLES -t nat -A PREROUTING -p tcp -i $NET_FACE --dport $EJ_PWEBIN -j DNAT --to $EJ_SRV:$PWEB
# Do forward incoming from internet interface o poert IJ_PWEBIN to EJ_SRV host on port PWEB
$IPTABLES -A FORWARD -p tcp -i $NET_FACE -o $LAN_FACE -d $EJ_SRV --dport $PWEB -m state --state NEW,ESTABLISHED -j ACCEPT

# allow forwarding @ kernel level
echo 1 > /proc/sys/net/ipv4/ip_forward
Last line allows port forwarding on the box.

Last edited by sevs; 02-21-2013 at 12:39 AM.
 
Old 02-21-2013, 02:59 AM   #3
Spetsnaz
LQ Newbie
 
Registered: Feb 2013
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sevs View Post
I am doing portforwarding in such way:
Code:
IPTABLES=`which iptables`

NET_FACE="eth2"
LAN_FACE="eth3"
PWEB="80"
EJ_SRV="192.168.3.2"
LAN_NET="192.168.3.0/24"
SRV_IP="192.168.3.1"
EJ_PWEBIN="8080"

# EJ_SRV host in in inner network LAN_NET connected to LAN_FACE interface.
# prepare packages incoming on NET_FACE interface on EJ_PWEB port to be forwarded to EJ_SRV host on PWEB port.
$IPTABLES -t nat -A PREROUTING -p tcp -i $NET_FACE --dport $EJ_PWEBIN -j DNAT --to $EJ_SRV:$PWEB
# Do forward incoming from internet interface o poert IJ_PWEBIN to EJ_SRV host on port PWEB
$IPTABLES -A FORWARD -p tcp -i $NET_FACE -o $LAN_FACE -d $EJ_SRV --dport $PWEB -m state --state NEW,ESTABLISHED -j ACCEPT

# allow forwarding @ kernel level
echo 1 > /proc/sys/net/ipv4/ip_forward
Last line allows port forwarding on the box.
But I don't have eth0 or eth2
since this is a VPS.
 
Old 02-21-2013, 09:46 AM   #4
fmillion
Member
 
Registered: Nov 2006
Posts: 91

Rep: Reputation: 27
I am not sure if iptables can NAT connections on a single interface. It may be able to, but I've never tried.

Can you post the output of "ip addr list" and "ip route list"?

If you need to mask IPs that's OK just let me know you're doing that.

You could also try something like:

Code:
iptables -t nat -A PREROUTING -d <ip_your_clients_connect_to> --dport 3074 -p tcp -j DNAT --to 10.8.0.6
 
Old 02-21-2013, 09:50 AM   #5
Spetsnaz
LQ Newbie
 
Registered: Feb 2013
Posts: 16

Original Poster
Rep: Reputation: Disabled
[root@RUVPN ~]# ip addr list"
>

[root@RUVPN ~]# ip route list
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.8.0.0/24 via 10.8.0.2 dev tun0
169.254.0.0/16 dev venet0 scope link metric 1002
default dev venet0 scope link
[root@RUVPN ~]#


[root@RUVPN ~]# iptables -t nat -A PREROUTING -d 37.0.122.190 --dport 3074 -p tcp -j DNAT --to 10.8.0.6
iptables v1.4.7: unknown option `--dport'
Try `iptables -h' or 'iptables --help' for more information.
[root@RUVPN ~]#
 
Old 02-21-2013, 09:56 AM   #6
fmillion
Member
 
Registered: Nov 2006
Posts: 91

Rep: Reputation: 27
Ah, ok, you have more or less a VPN setup going on there. It looks like all the way back at the provider, they're taking connections coming into your IP and forwarding them through an internal tunnel to your box which resides at 10.8.0.1.

So you're saying you want people to be able to connect to YOUR box on port 3074, and then be able to access a box that your box is able to access which is located at 10.8.0.6?

This might be possible, and I could give it a try when I get back to my network closet later today, but like I said I'm not sure if the router can NAt a connection that comes in and goes out of the same interface.

You COULD in theory build a simple proxy using nc (netcat) that will accept connections on your box and blindly forward all traffic to and from your destination IP, but this will probably end up being more work than it's worth and not necessarily that reliable.

If you have clients that SSH into your box, you can instruct them to use SSH forwarding as a workaround. For example, the user would execute:

Code:
ssh -L 3074:10.8.0.6:3074 user@your-host.net
and then they could connect to localhost:3074 to access that box.

Nearly all Windows SSH clients offer a port-forwarding option as well.

The only downside to that is of course a person must login to ssh and stay logged in when they're working with the other box.

Will get back to you once I've had a chance to test this.

F
 
Old 02-21-2013, 10:00 AM   #7
Spetsnaz
LQ Newbie
 
Registered: Feb 2013
Posts: 16

Original Poster
Rep: Reputation: Disabled
Oh I totally forgot to mention yes this is a set-up for a VPN.
Because basically a user wants to use port 3074 and i tried my best to my knowledge by doing a lot of googling around on how to portforward with iptables.
To my conclusion i came up with this on my iptables

Quote:
# Generated by iptables-save v1.4.7 on Thu Feb 21 18:51:43 2013
*mangle
:PREROUTING ACCEPT [10577:2499115]
:INPUT ACCEPT [3892:864439]
:FORWARD ACCEPT [6685:1634676]
:OUTPUT ACCEPT [3459:1319354]
:POSTROUTING ACCEPT [10144:2954030]
COMMIT
# Completed on Thu Feb 21 18:51:43 2013
# Generated by iptables-save v1.4.7 on Thu Feb 21 18:51:43 2013
*filter
:INPUT ACCEPT [27:2328]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:2472]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -d 10.8.0.10/32 -p tcp -m tcp --dport 1604 -j ACCEPT
-A FORWARD -d 10.8.0.10/32 -p udp -m udp --dport 1604 -j ACCEPT
-A FORWARD -d 10.8.0.6/32 -p tcp -m tcp --dport 3074 -j ACCEPT
-A FORWARD -d 10.8.0.6/32 -p udp -m udp --dport 3074 -j ACCEPT
-A FORWARD -d 10.8.0.6/32 -p tcp -m tcp --dport 23 -j ACCEPT
-A FORWARD -d 10.8.0.6/32 -p udp -m udp --dport 23 -j ACCEPT
COMMIT
# Completed on Thu Feb 21 18:51:43 2013
# Generated by iptables-save v1.4.7 on Thu Feb 21 18:51:43 2013
*nat
:PREROUTING ACCEPT [333:24491]
:POSTROUTING ACCEPT [6:420]
:OUTPUT ACCEPT [5:360]
-A PREROUTING -p tcp -m tcp --dport 33891 -j DNAT --to-destination 10.8.0.6:3389
-A PREROUTING -d 37.0.122.190/32 -p udp -m udp --dport 3074 -j DNAT --to-destination 10.8.0.6:3074
-A PREROUTING -d 37.0.122.190/32 -p tcp -m tcp --dport 3074 -j DNAT --to-destination 10.8.0.6:3074
-A PREROUTING -d 37.0.122.190/32 -p udp -m udp --dport 1604 -j DNAT --to-destination 10.8.0.10:1604
-A PREROUTING -d 37.0.122.190/32 -p tcp -m tcp --dport 1604 -j DNAT --to-destination 10.8.0.10:1604
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 37.0.122.190
COMMIT
# Completed on Thu Feb 21 18:51:43 2013
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Cannot portforward to ports other than 80.. earthw0rmjim Linux - Networking 8 07-22-2012 02:45 PM
Iptables - how to portforward to external IP and ports? slayernicke Linux - Networking 7 07-04-2011 04:58 AM
I can't make it. VTUN between 2 gentoos and portforward from gentoo1 to gentoo2 JAY-D Linux - Networking 4 12-01-2006 09:14 PM
How do I portforward webmin/ssl/ssh (the whole world) onto another box FunkFlex Linux - Security 5 04-17-2002 08:30 PM


All times are GMT -5. The time now is 02:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration