Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-10-2015, 02:12 AM
|
#1
|
Member
Registered: Jul 2012
Posts: 234
Rep:
|
IPTABLES RHEL6 forward port 9100 to 9200
Hi All, I wish to forward packets from port 9100 to 9200 Outbound.
I have enabled routing in the /etc/sysctl.conf and done a sysctl -p to reload it:
net.ipv4.ip_forward = 1
I am a bit rusty, this is for if the local server wishes to send packets to port 9100 Outbound it gets redirected to port 9200 outbound for all destinations...
Thanks
|
|
|
04-10-2015, 11:56 AM
|
#2
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
iptables -t nat -A PREROUTING -p tcp --dport 9100 -j REDIRECT --to-ports 9200
Or something to that effect. Depends on where you are doing the filtering.
|
|
|
04-12-2015, 05:33 PM
|
#3
|
Member
Registered: Jul 2012
Posts: 234
Original Poster
Rep:
|
Hi Thanks for your reply, as you can see here it did not change to port 9200, it still directed to 9100.
I saved my iptables config and did a service iptables restart
Code:
telnet 2.2.2.2 9100
[root@server1 ~]# tcpdump -i eth0 -nn host 2.2.2.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:26:59.825251 IP 1.1.1.1.52021 > 2.2.2.2.9100: Flags [S], seq 1106017687, win 14600, options [mss 1460,sackOK,TS val 1027879632 ecr 0,nop,wscale 7], length 0
08:26:59.826481 IP 2.2.2.2.9100 > 1.1.1.1.52021: Flags [S.], seq 443622967, ack 1106017688, win 23, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 1027879632], length 0
Code:
root@server1 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 3 packets, 536 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9100 redir ports 9200
Chain POSTROUTING (policy ACCEPT 1 packets, 172 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 172 bytes)
pkts bytes target prot opt in out source destination
any more ideas?
|
|
|
04-13-2015, 04:59 AM
|
#4
|
Senior Member
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240
Rep:
|
Does it actually make any sense to use PREROUTING if these are packets generated by your own local server? I am just asking, I'm not really sure and I really want to understand.
Wouldn't MANGLE be a better choice so that you actually modify the OUTPUT chain?
something like: iptables -t mangle -I OUTPUT -p tcp --dport 9100... but I don't know the rest? Maybe still with redirect? I have to search a little bit
|
|
|
04-13-2015, 09:58 AM
|
#5
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
MANGLE is good if you are looking to mark a packet or give it a TOS but just to redirect the rule I posted is more then enough.
|
|
|
04-13-2015, 11:32 AM
|
#6
|
Senior Member
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240
Rep:
|
Quote:
Originally Posted by lazydog
MANGLE is good if you are looking to mark a packet or give it a TOS but just to redirect the rule I posted is more then enough.
|
Can you please explain in short (or as detailed as possible, if you feel like it )how packets generated by the local server are pass the PREROUTING chain? 'Cause I thought that PREROUTING is only for packets that come from one interface (be it outside the server) and go into another (for instance when you have VPN, ppp and so on)
|
|
|
04-13-2015, 11:54 AM
|
#7
|
Senior Member
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240
Rep:
|
Or what about using NAT in OUTPUT? For instance:
Code:
iptables -t nat -A OUTPUT -p tcp --dport 9100 -j REDIRECT --to-ports 9200
Last edited by vincix; 04-13-2015 at 01:26 PM.
|
|
|
04-13-2015, 11:56 AM
|
#8
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
Quote:
Originally Posted by gdizzle
Hi Thanks for your reply, as you can see here it did not change to port 9200, it still directed to 9100.
I saved my iptables config and did a service iptables restart
Code:
telnet 2.2.2.2 9100
[root@server1 ~]# tcpdump -i eth0 -nn host 2.2.2.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:26:59.825251 IP 1.1.1.1.52021 > 2.2.2.2.9100: Flags [S], seq 1106017687, win 14600, options [mss 1460,sackOK,TS val 1027879632 ecr 0,nop,wscale 7], length 0
08:26:59.826481 IP 2.2.2.2.9100 > 1.1.1.1.52021: Flags [S.], seq 443622967, ack 1106017688, win 23, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 1027879632], length 0
|
I am going to assume that 2.2.2.2 is your server that is running iptables.
The packet leaving your system is destine for port 52021 of 1.1.1.1 thus the rule does not apply.
**EDIT**
Another thought crossed my mind looking at what you posted. The packet should have been tagged and changed on INPUT and it looks like that did not happen. What other rules are you running that would cause this?
Last edited by lazydog; 04-13-2015 at 12:21 PM.
|
|
|
04-13-2015, 12:25 PM
|
#9
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
Quote:
Originally Posted by vincix
Can you please explain in short (or as detailed as possible, if you feel like it )how packets generated by the local server are pass the PREROUTING chain? 'Cause I thought that PREROUTING is only for packets that come from one interface (be it outside the server) and go into another (for instance when you have VPN, ppp and so on)
|
You are right that should have been POSTROUTE. Working too many projects makes the mind wonder at times.
|
|
|
04-13-2015, 01:21 PM
|
#10
|
Senior Member
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240
Rep:
|
[never mind for now ]
Last edited by vincix; 04-13-2015 at 01:26 PM.
|
|
|
All times are GMT -5. The time now is 09:13 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|