LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-10-2015, 02:12 AM   #1
gdizzle
Member
 
Registered: Jul 2012
Posts: 234

Rep: Reputation: Disabled
IPTABLES RHEL6 forward port 9100 to 9200


Hi All, I wish to forward packets from port 9100 to 9200 Outbound.

I have enabled routing in the /etc/sysctl.conf and done a sysctl -p to reload it:

net.ipv4.ip_forward = 1


I am a bit rusty, this is for if the local server wishes to send packets to port 9100 Outbound it gets redirected to port 9200 outbound for all destinations...


Thanks
 
Old 04-10-2015, 11:56 AM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
iptables -t nat -A PREROUTING -p tcp --dport 9100 -j REDIRECT --to-ports 9200
Or something to that effect. Depends on where you are doing the filtering.
 
Old 04-12-2015, 05:33 PM   #3
gdizzle
Member
 
Registered: Jul 2012
Posts: 234

Original Poster
Rep: Reputation: Disabled
Hi Thanks for your reply, as you can see here it did not change to port 9200, it still directed to 9100.

I saved my iptables config and did a service iptables restart

Code:
telnet 2.2.2.2 9100

[root@server1 ~]# tcpdump -i eth0 -nn host 2.2.2.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

08:26:59.825251 IP 1.1.1.1.52021 > 2.2.2.2.9100: Flags [S], seq 1106017687, win 14600, options [mss 1460,sackOK,TS val 1027879632 ecr 0,nop,wscale 7], length 0
08:26:59.826481 IP 2.2.2.2.9100 > 1.1.1.1.52021: Flags [S.], seq 443622967, ack 1106017688, win 23, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 1027879632], length 0

Code:
root@server1 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 3 packets, 536 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9100 redir ports 9200

Chain POSTROUTING (policy ACCEPT 1 packets, 172 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 172 bytes)
 pkts bytes target     prot opt in     out     source               destination


any more ideas?
 
Old 04-13-2015, 04:59 AM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
Does it actually make any sense to use PREROUTING if these are packets generated by your own local server? I am just asking, I'm not really sure and I really want to understand.

Wouldn't MANGLE be a better choice so that you actually modify the OUTPUT chain?

something like: iptables -t mangle -I OUTPUT -p tcp --dport 9100... but I don't know the rest? Maybe still with redirect? I have to search a little bit
 
Old 04-13-2015, 09:58 AM   #5
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
MANGLE is good if you are looking to mark a packet or give it a TOS but just to redirect the rule I posted is more then enough.
 
Old 04-13-2015, 11:32 AM   #6
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
Quote:
Originally Posted by lazydog View Post
MANGLE is good if you are looking to mark a packet or give it a TOS but just to redirect the rule I posted is more then enough.

Can you please explain in short (or as detailed as possible, if you feel like it )how packets generated by the local server are pass the PREROUTING chain? 'Cause I thought that PREROUTING is only for packets that come from one interface (be it outside the server) and go into another (for instance when you have VPN, ppp and so on)
 
Old 04-13-2015, 11:54 AM   #7
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
Or what about using NAT in OUTPUT? For instance:

Code:
iptables -t nat -A OUTPUT -p tcp --dport 9100 -j REDIRECT --to-ports 9200

Last edited by vincix; 04-13-2015 at 01:26 PM.
 
Old 04-13-2015, 11:56 AM   #8
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by gdizzle View Post
Hi Thanks for your reply, as you can see here it did not change to port 9200, it still directed to 9100.

I saved my iptables config and did a service iptables restart

Code:
telnet 2.2.2.2 9100

[root@server1 ~]# tcpdump -i eth0 -nn host 2.2.2.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

08:26:59.825251 IP 1.1.1.1.52021 > 2.2.2.2.9100: Flags [S], seq 1106017687, win 14600, options [mss 1460,sackOK,TS val 1027879632 ecr 0,nop,wscale 7], length 0
08:26:59.826481 IP 2.2.2.2.9100 > 1.1.1.1.52021: Flags [S.], seq 443622967, ack 1106017688, win 23, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 1027879632], length 0
I am going to assume that 2.2.2.2 is your server that is running iptables.

The packet leaving your system is destine for port 52021 of 1.1.1.1 thus the rule does not apply.

**EDIT**
Another thought crossed my mind looking at what you posted. The packet should have been tagged and changed on INPUT and it looks like that did not happen. What other rules are you running that would cause this?

Last edited by lazydog; 04-13-2015 at 12:21 PM.
 
Old 04-13-2015, 12:25 PM   #9
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by vincix View Post
Can you please explain in short (or as detailed as possible, if you feel like it )how packets generated by the local server are pass the PREROUTING chain? 'Cause I thought that PREROUTING is only for packets that come from one interface (be it outside the server) and go into another (for instance when you have VPN, ppp and so on)
You are right that should have been POSTROUTE. Working too many projects makes the mind wonder at times.
 
Old 04-13-2015, 01:21 PM   #10
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
[never mind for now ]

Last edited by vincix; 04-13-2015 at 01:26 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables can't port forward (PAT Port address translation) sfrederiksen Linux - Networking 7 12-20-2011 10:47 AM
If I forward a port in iptables, does the port have to be open on the firewall? qwertyjjj Linux - Server 4 08-06-2009 09:22 AM
IPTables port forward help matux Linux - Networking 1 09-09-2008 10:54 AM
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 08:47 AM
How to port forward with IPTABLES... Scrag Linux - Security 6 12-13-2004 04:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration