LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-13-2015, 03:16 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 11
Post iptables v1.4.14: unknown option "--to-destination"


Hello.
I use below iptables command on Debian but got an error :

$ sudo iptables -A INPUT -p tcp -j FORWARD --to-destination 172.30.10.11
iptables v1.4.14: unknown option "--to-destination"
Try `iptables -h' or 'iptables --help' for more information.


Any idea?
 
Old 12-13-2015, 05:25 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Wrong jump type (forward vs redirect) and probably wrong table too.
 
Old 12-13-2015, 06:27 AM   #3
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
Quote:
Originally Posted by hack3rcon View Post
Hello.
I use below iptables command on Debian but got an error :

$ sudo iptables -A INPUT -p tcp -j FORWARD --to-destination 172.30.10.11
iptables v1.4.14: unknown option "--to-destination"
Try `iptables -h' or 'iptables --help' for more information.
May I suggest the man page?
There is no target named FORWARD. There is however a FORWARD chain.
--to-destination is a parameter for the BALANCE and DNAT targets.

The suggested REDIRECT wouldn't work I guess. This is what the man page says:
Quote:
REDIRECT

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option:

--to-ports port[-port]
This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.
 
Old 12-13-2015, 08:59 AM   #4
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 11
What is your idea to solve it?
 
Old 12-13-2015, 09:57 AM   #5
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,334

Rep: Reputation: Disabled
Quote:
Originally Posted by hack3rcon View Post
What is your idea to solve it?
Well, what exactly is it that you want to accomplish?

The INPUT chain in the filter table is for filtering incoming traffic only. If you wish to redirect incoming traffic to another host, that's called "network address translation" ("destination NAT" to be precise), so you'll need to use the PREROUTING chain in the nat table:
Code:
iptables -t nat -A PREROUTING -p tcp --dport <some_port_number> -j DNAT --to-destination 172.30.10.11:<a_port_number>
Note that you'll also need a firewall rule in the FORWARD chain to allow the packets you just NATed.
 
Old 12-15-2015, 06:19 AM   #6
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 11
Thank you.
For example, I want when someone Remote Desktop to me then they request forward to 172.30.10.11 that is a Windows machine. I guess remote desktop port is 3389 on Windows but how about "--dport" ?
 
Old 12-15-2015, 02:36 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,334

Rep: Reputation: Disabled
Quote:
Originally Posted by hack3rcon View Post
TI guess remote desktop port is 3389 on Windows but how about "--dport" ?
The --dport parameter is used to specify the destination port number of the original, un-NATed packet. You can use the same port number as the service you're redirecting the packet to, but it is also possible to use a different port.

This should do the trick:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 172.30.10.11:3389
iptables -t filter -A FORWARD -d 172.30.10.11/32 -p tcp --dport 3389 -j ACCEPT
You may want to add an input interface match (-i <interface>) to the PREROUTING rule and perhaps both an input and an output interface match (-i <interface> -o <interface>) to the FORWARD rule.
 
Old 12-16-2015, 05:00 AM   #8
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 11
I did :

$ sudo iptables -t filter -A FORWARD -d 172.30.10.11/32 -p tcp --dport 3389 -j ACCEPT -i eth1 -o eth1

and my iptables rules are :

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 172.30.10.11 tcp dpt:3389

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


but not worked
 
Old 12-16-2015, 08:45 AM   #9
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,334

Rep: Reputation: Disabled
How can the input and output interfaces be the same (eth1)?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables problem - unknown option "--dports" Sorbitol Linux - Newbie 7 04-30-2013 04:35 PM
BIND server not starting, "unknown option 'zone'" StevenW Linux - Networking 6 09-19-2011 06:27 PM
"ftp: u: unknown option" when script runs through VNC viewer Fillys6 Linux - Networking 7 12-22-2005 07:11 PM
rpm -bp command not working says "-bp: unknown option" Niceman2005 Linux - Software 2 11-08-2004 01:36 AM
dns named.conf: "view" unknown option rioguia Linux - Networking 16 11-02-2004 11:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration