Iptables - how to portforward to external IP and ports?

slayernicke · 06-30-2011, 07:58 AM

Hi

I want to portforward client connections from an ubuntu lts server to another external server. btw i am a noob on iptables.
i have tryed using the basic commands for iptables with no success. For example:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j DNAT --to 91.23.45.67:7878

iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j ACCEPT

so basically i just want a rediraction for from one ip to another. Example: A client tries to connect to ip 123.45.67.89 on port 7878 and the server forwards him to ip xx.xx.xx.xx on port 7878, meaning that xx.xx.xx.xx is the actual server with services. Server with ip 123.45.67.89 is only forwarding the client to external ip... how can this be done in a simple command?

Thanks in advance
Nico

Linux.tar.gz · 06-30-2011, 10:24 AM

Take a look at this firewall builder. You will learn a lot of interesting things :

http://connie.slackware.com/~alien/efg/

slayernicke · 06-30-2011, 11:11 AM

i have already tested this generator. It doesnt give examples on external ip routing, only internal portforwarding. If you understood my question than maybe you will realise that the command i am looking for may be very simple...? its only a question of forwarding a client from one ip to another EXTERNAL ip, given the ports.

akyuzremzi · 06-30-2011, 04:24 PM

After this
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j DNAT --to 91.23.45.67:7878

iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j ACCEPT

rules;

iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

and you can look your trafic with iptstate.

PS: Full traffic passes through you.

slayernicke · 07-01-2011, 03:31 AM

thanks for your respons. But it didnt work.

since all rules already are set to ACCEPT i am only adding this specific portforward rule. Assume port 7878 is a port that can be open via web browser, for example http://linux.dyndns.com:7878. I have done this very easily with router system called smoothwall. The router only acts as a messenger between the external server and clients. So the actual server only recieves one sort of ip from all connecting clients, which is the one of the router, because they are all connecting through it.
Now i want to try and doing this with linux iptabels or similar...
if you understand that all i want is to let the traffic pass through me, than maybe you can try it yourself with a testing port and help me out?

akyuzremzi · 07-02-2011, 12:44 AM

I think the rules should work.
Have you seen the request from iptstate?
What exactly is the error?

Detail to determine the cause of failure may be better to try the following.

----------------------------------------------------------------------------------------------------------------

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j LOG --log-prefix="PreRouting 7878..:"

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j DNAT --to 91.23.45.67:7878

iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j LOG --log-prefix="Forward 7878..:"

iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j ACCEPT

iptables -A INPUT -p tcp --dport 7878 -j LOG --log-prefix="Input 7878..:"

iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
-----------------------------------------------------------------------------------------------------------------

After that, you tell the output of dmesg,netstat -rn, ifconfig, iptables -L -vnx --line-number, iptables -t nat -L -vnx --line-number?

slayernicke · 07-04-2011, 04:21 AM

just made it happen thanx so much for your help mate

slayernicke · 07-04-2011, 04:58 AM

just made it happpen thanks anyway mate!