Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 01-22-2009, 05:03 PM   #1
LQ Newbie
Registered: Nov 2008
Location: USA
Distribution: rhell 4/5
Posts: 18

Rep: Reputation: 1
iptables - port forwarding through nat issues

Hi - I have several questions relating to iptables.

First, I am running an SMB/CIFS share on my linux box as a non-privileged/non-root user. Since SMB uses privileged ports (137-139, 445), I've used the following iptables rules to forward traffic to non-privileged ports on which the CIFS servers listens on:

iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138
Every other machine can mount the share, except for the server that is running the CIFS share! When I mount the share on the same host (with the same command that works for the other machines), I have to specify to connect on port 1445. Why? Shouldn't iptables automatically handle it? What is so different from the traffic originating on the same server, that it ends up skipping the iptables rules?

Here's the mount command I use:
mount.cifs //serverA/cifsshare /mnt/cifshare/ -o username=user,password=pass,port=1445

I've tried adding OUTPUT rules, but that ended up breaking everything. I want to be able to mount it on the same server without specifying the "port=1445" option.


My second question is this: Why does the port forwarding (e.g. from port 445 to 1445) use the nat table? Why can't it use the filter table? The port forwarding isn't doing any NAT'ing, since the source and destination ip stay the same.

EDIT: Just found the answer to this second question: The --to-ports option is only for the REDIRECT target, and that target is only available for the nat table. Therefore I can't use filter to redirect ports.

Thanks for your time and patience, in advance.

Last edited by web_janitor; 01-22-2009 at 05:37 PM.
Old 01-22-2009, 09:12 PM   #2
Senior Member
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
You need to use DNAT / REDIRECT in the OUTPUT chain, as you suspected, e.g. to port-forward
something on the loopback interface:
iptables -t nat -A OUTPUT -d -p tcp --dport 445 -j REDIRECT --to-ports 1145
Edit: to elaborate, PREROUTING affects packets passing through the machine, while the OUTPUT
affects locally-generated packets. So to achieve what you want, you need to include your original
PREROUTING rules and the corresponding OUTPUT rules.

Last edited by Berhanie; 01-22-2009 at 09:29 PM.
Old 01-23-2009, 06:16 PM   #3
LQ Newbie
Registered: Nov 2008
Location: USA
Distribution: rhell 4/5
Posts: 18

Original Poster
Rep: Reputation: 1
Thanks! That mostly worked. In my case, I had to modify the rule slightly by using my server's IP address, since I don't have an entry in /etc/hosts looping back to for my hostname.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables nat port forwarding rule set crowhurst01 Linux - Networking 2 02-13-2012 03:39 AM
Iptables putting a nat (port forwarding) procfs Linux - Newbie 8 02-19-2008 12:15 AM
NAT and Port Forwarding aq_mishu Linux - Networking 2 09-16-2005 07:58 AM
Port Forwarding without NAT on an old Kernel linuxpyro Linux - Networking 0 06-02-2004 12:31 PM
iptables + NAT + Port forwarding problem SirGertrude Linux - Networking 9 05-14-2004 04:02 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:01 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration