LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-10-2012, 03:30 AM   #1
lswol
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Rep: Reputation: Disabled
Iptables Port Redirection Problem (DNAT rule)


Hello everybody

I have a problem with iptables. I want to make a simple port redirection with iptables.
Quick overview of what i try to accomplish:

Code:
[inet-nic]-[iptables-gateway-machine]-[internal-nic]<----------->[nic]-[internal-machine]
[fixed IPpub]                         [fixed IPpriv]             [fixed IPpriv]
8030 <----------------------------------------------------------> 8050
8031 <----------------------------------------------------------> 8051
I tried to accomplish it with the following rule:
Code:
#cat /etc/sysconfig/iptables
...
-A PREROUTING -d 12.34.56.789/32 -p tcp -m tcp --dport 8030 -j DNAT --to-destination 10.10.10.51:8050
-A PREROUTING -d 12.34.56.789/32 -p tcp -m tcp --dport 8031 -j DNAT --to-destination 10.10.10.51:8051
...
But that doesn't work.

I can't connect to the service (JMX java monitoring). If i check with
Code:
netstat -tnap | grep 8050 / 8051
I can see, that the the redirection from 8030 -> 8050 is working because I see a "Established" Connection from the IP I'm connection from. But the second one from 8031 -> 8051 isn't working as intended.

Strange thing is, when I make a "Port Forwarding", redirecting from the [external-ip]:8050 to [internal-machine-IPpriv]:8050 and [external-ip]:8051 to [internal-machine-IPpriv]:8051 with the above noted iptables-rule, it works perfectly.
Thats why I think I'm missing some sort of SNAT-rule, where the source port of the answer is altered correctly.

Anybody any ideas here? Any help is much appreciated!

Thanks,
Matt
 
Old 04-11-2012, 03:30 AM   #2
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
tcpdump is your friend - see what is actually happening and update

nik
 
Old 04-11-2012, 03:57 AM   #3
lswol
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Hello

thx for you answer. Ok, I checked with tcpdump. Here is what I found out:

On the Gateway:
tcpdump -n port 8050
Code:
10:44:43.935128 IP 12.34.56.78.45790 > 10.10.10.51.8050: Flags [P.], seq 2260445138:2260445139, ack 3532209078, win 123, options [nop,nop,TS val 4032487167 ecr 3167255964], length 1
10:44:43.935332 IP 10.10.10.51.8050 > 12.34.56.78.45790: Flags [.], ack 1, win 114, options [nop,nop,TS val 3167269518 ecr 4032487167], length 0
10:44:43.935356 IP 10.10.10.51.8050 > 12.34.56.78.45790: Flags [P.], seq 1:2, ack 1, win 114, options [nop,nop,TS val 3167269518 ecr 4032487167], length 1
10:44:43.935653 IP 12.34.56.78.45790 > 10.10.10.51.8050: Flags [P.], seq 1:51, ack 2, win 123, options [nop,nop,TS val 4032487167 ecr 3167269518], length 50
...
Every other Port: 8051 / 8030 / 8031 gives me nothing!

If i set 8050 -> 8050 and 8051 -> 8051 in my iptables and run tcpdump while connecting, I see the correct packets and everything.

I'm quite sure that my iptables rules are wrong. What is a normal rule to make a port redirection with iptables? Its such a common use case, it can't be rocket science
 
Old 04-11-2012, 04:30 AM   #4
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
This is what I'm using to access directly machines on the inside:

-A PREROUTING -i eth1 -s x.x.x.x -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.8.2:22
-A PREROUTING -i eth1 -s x.x.x.x -p tcp -m tcp --dport 2244 -j DNAT --to-destination 192.168.8.4:22

This allows me to connect to debian boxes with low security from my work ip.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Port Redirection/Duplication with IPTABLES - Problem with INPUT table fgreg Linux - Networking 1 09-24-2011 09:35 AM
using iptables dnat for redirection Verminoz Linux - Networking 2 10-18-2010 02:35 PM
iptables - redirection port from alias - problem dlugasx Linux - Networking 1 06-25-2009 03:19 AM
simple DNAT iptables rule doesn't work. firatkucuk Linux - Networking 2 10-22-2007 01:35 AM
iptables problem: DNAT rule for RTP stream bbeers Linux - Security 2 11-21-2006 10:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration