iptables port forwarding

_kure_ · 11-13-2007, 03:18 PM

Hello,

I'm trying to create this setup:

PC1 -> 8080:server -> 22:remotePC

Basically, forward incoming connection at port 8080 to a remote address port 22.

I have been half way successful.

Code:

iptables -t nat -I PREROUTING -p tcp -i eth0 -d *server*  --dport 8080 -j DNAT --to-destination *server*:22

Works, I can get ssh at port 8080 with 'ssh -p 8080 *server*'. However,

Code:

iptables -t nat -I PREROUTING -p tcp -i eth0 -d *server*  --dport 8080 -j DNAT --to-destination *remotePC*:22

doesn't seem to be routing. I believe the problem is that the server doesn't route to remote address for some strange reason.

iptables shouldn't be issue here, as everything necessary is allowed (I hope).

Code:

iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-apache (0 references)
target     prot opt source               destination

Chain fail2ban-couriersmtp (0 references)
target     prot opt source               destination

Chain fail2ban-postfix (0 references)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination

I also tried both of these

Code:

iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT

iptables -A FORWARD -p tcp -m state --state NEW -d *server* --dport 8080 -j ACCEPT

and none of them worked. Nmap says the port is filtered, but it shouldn't be an issue if I can connect to it when it forwards to local (server) port.

I hope you will help me.

ehawk · 11-14-2007, 04:12 PM

Do these links help?

http://www.linuxguruz.com/iptables/h...outing-15.html

http://scottr.org/files/presentation...networking.pdf

http://iptables-tutorial.frozentux.n...-tutorial.html

http://www.openpages.info/iptables/

http://www.linuxhomenetworking.com/w...Using_iptables

http://linux-ip.net/html/adv-multi-internet.html

pingu_penguin · 11-15-2007, 09:12 AM

did u enable packet forwarding ?

echo '1' > /proc/sys/net/ipv4/ip_forward

_kure_ · 11-15-2007, 11:22 AM

Quote:

Originally Posted by pingu_penguin

did u enable packet forwarding ?

echo '1' > /proc/sys/net/ipv4/ip_forward

I did. But I already found the problem.

This guide (http://www.openpages.info/iptables/) mentions something other ones didn't.

Code:

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Unfortunately, I don't have this module compiled, my server is a virtual server, I deleted kernel sources long ago and it's probably a specifically patched version of 2.6.18 kernel, so now it's a question of getting the sources from the company admin, which is easy as I know what I need.

Thanks everybody for helping.

jeenam · 11-15-2007, 12:35 PM

You can SNAT instead of MASQUERADE. MASQUERADE uses more cpu time as well.

iptables -t nat -A POSTROUTING -o eth0 -d *server* --destination-port 22 -SNAT --to-source <eth0_ip>

Also, this is a bad idea (SNAT or MASQUERADE in this case) since all connections going to the *server* from any host will appear to come from the forwarding machine. If your box gets compromised via ssh the log will show that all ssh connections appeared to come from the box running iptables that forwards packets from 8080 to *server*:22.

_kure_ · 11-15-2007, 03:53 PM

Nice, these three worked like a charm.

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*

I don't mind getting compromised the computer I connect to via ssh, it's a school account I use to store documents, there is nothing to gain (except for me, because I cannot connect to that account from one specific location because of f****** firewall). Now is everything OK, thanks everybody!

cheers · 05-23-2011, 12:38 AM

Quote:

Originally Posted by _kure_

Nice, these three worked like a charm.

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*

I don't mind getting compromised the computer I connect to via ssh, it's a school account I use to store documents, there is nothing to gain (except for me, because I cannot connect to that account from one specific location because of f****** firewall). Now is everything OK, thanks everybody!

The above commands not works for me..is there anything to do after these commands.
In my case PCI-->30279:server-->22:remote pc..( i will di ssh with port 30279 from PCI to servier ip and that shud connect tp remote ip)
i tried these below commands
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *PCI_ip* -d *server_ip* --dport 30279 -j DNAT --to *remote_ip*:22
iptables -t nat -A POSTROUTING -o eth0 -d *remote_ip* -j SNAT --to-source *PCI_IP*.

Pls..

sunrised24 · 01-16-2012, 04:19 AM

Hi

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip*

i folowed ur it never work to me