Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 08-11-2019, 12:59 PM   #1
LQ Newbie
Registered: Aug 2019
Posts: 3

Rep: Reputation: Disabled
Red face iptables subnet traffic masquerade work but prerouting end in 111: connection refused

Dear friendly community, after searching for hours and tries over days (im no expert at all)
i decided to ask here so i hope anyone can help with this issue.

I setup a dhcp server to give a second device access to my internet connection.
On my host machine I'm connected to a socks server, which I'm able to use with the following iptables rules:

sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDSOCKS

so after enabling this rule all host traffic to :80 goes through the socks

only the follwing rule makes the client of the subnet reaching the inet:

sudo iptables -A POSTROUTING -t nat -j MASQUERADE

the problem with these rule is that the traffic of the subnet client is never going through the socks on the host machine , while request from the host itself use the socks connection and get redirected.

i tried the rule below, which makes the network for the subnet client unreachable

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS

I'm no iptables expert but i tried to handle this over dnat & snat,
i believe it has something to do with these MASQUERADE

but at all it looks like the requests are going outside but the answer isn't reaching my subnet client. (i checked these issue with [apt install] ngrep)

I already tried to fix this issue over setup a vpn on my host machine and connect the client to it, but the only success was to reach the inet without the MASQUERADE rule while i still dont use the socks for outgoing connection on the client machine and all traffic from the host direct goes over the socks

i dont have to add forward rules to iptables when i used


sysctl -w net.ipv4.ip_forward=1

or do i have to enable forward for the resocks chain as well?

what about: iptables -I FORWARD?

the problem is i can see without MASQUERADE the request from the subnet client over ngrep leaving my host interface to the destination and receive an answer but
these never reaches my subnet client and is never going over the socks, only when i use the MASQUERADE rule the request come through without going over the socks on the host machine

i rly hope someone greater than me is able to teach me about my retardation relating to iptables

Last edited by g1thub; 08-11-2019 at 01:05 PM.
Old 08-21-2019, 09:32 AM   #2
Registered: Aug 2004
Distribution: mostly ubuntu , but want to migrate strongly to slack.
Posts: 264

Rep: Reputation: 56
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
If I am correct , this is transparent port redirection towards the SOCKS server, to the port on which its listening.

I would simplify it with :

# iptables -t nat -A POSTROUTING -o (your_internet_interface) -j MASQUERADE (shares the internet connection)
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 12345

I really don't find the need to specify a new custom chain if your output policy is accept.

Give it a try and let us know.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Slackware64 14.2 + kernel-generic-4.4.111 + microcode + kjhambrick Slackware 20 01-23-2018 06:39 AM
Portmap -> Only tcp 111 port / where is udp 111 port? lfs_mm Linux - Networking 2 11-30-2011 11:02 AM
Error connecting to IMAP server 111 : Connection refused dolay Linux - Newbie 2 03-02-2010 05:09 AM
Socket Connection Failed: 111 Connection Refused degraffenried13 Linux - General 3 05-31-2009 01:17 AM
RHN - Network error 111: Connection refused Adam555 Linux - Newbie 1 05-25-2004 12:23 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:23 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration