Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 02-19-2006, 02:08 PM   #1
LQ Newbie
Registered: Feb 2006
Posts: 3

Rep: Reputation: 0
Port/Address forwarding with iptables with one network interface.

Due to circumstances involving my motherboard (the one that comes in an HP Pavillon 8700), I'm unable to put a second ethernet card in my linux computer.

Problem: Want to forward incoming internet traffic to another computer via iptables, using only one ethernet interface.

Routing computer's IP:
Destination computer's IP:
Port of interest: TCP 6112

Here's what I think is the best solution for my problem, but I'm 100% open to suggestions:

Packet on 6112 -> Routing Computer's eth0, reroute to lo0
Packet on -> reroute to eth0,

Basically, I'm trying to get around one interface by routing incoming traffic on that port to my loopback device, then routing traffic on that interface back out eth0 to the proper computer on my network.

I've done a ton of research in this, and I would put the best sites I found, but I can't due to lack of sufficient posts :/

For whatever reason, I just can't get anything to work. Thank you in advance for any help.

Old 02-19-2006, 03:49 PM   #2
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 124Reputation: 124
How is the packet arriving at the routing computer? What's the source? Also, are you actually using the IP Block? You should be using a valid RFC1918 reserved network block on a LAN, if you're performing NAT.
Old 02-19-2006, 04:36 PM   #3
LQ Newbie
Registered: Feb 2006
Posts: 3

Original Poster
Rep: Reputation: 0
So far, I've just been using 0/0 for the source, since I figured allowing anything would rule out a few problems, I could always lock it down better later anyways.

Network Setup:

+---+        +--------------------------------+
| D |        | Linksys Wireless Router WRT54G |
| S |        |                                |
| L |        |(LAN1)(LAN2)(LAN3)(LAN4)   (WAN)|
|   |        +--^-----^-----^-----------------+
| M |           |     |     |
| O |           |     |     |          +-------------+
| D |           |     |     |          + Windows Box |
| E |           |     |     +----------+     |
| M |-----------+     |                +-------------+
|   |                 |
+---+                 |                +-----------+
                      +----------------+ Linux Box |
                                       |  |
Basically, I've just got my modem forwarding what I need to my linux computer's IP. I'd like to eventually forward all incoming to my linux computer, and then redirect/forward it to anywhere else on my network I need to. I know it's not ideal to use a single cable for routing, but my max bandwidth usage for that is going to be 786k -- so I don't think it's gonna really matter. I would just use my modem's build in natting, but everytime you change something, you have to restart it. As you might guess, that is extremely annoying. So far, I've tried adapting other people's example NAT firewalling scripts, but have managed to fail miserably.

Here is my iptables stuff as is (as applicable to my question):

iptables -t nat -I PREROUTING --src 0/0 --dst -p tcp --dport 6112 -j DNAT --to-destination
iptables -t nat -I PREROUTING --src 0/0 --dst -p tcp --dport 6112 -j DNAT --to-destination
Obviously, that didn't work because I've got no interface translation anywhere in there, so I tried something like this to put it on the lo0. I changed the port to 6113, so that it wouldn't confuse itself with any other packets, and it would be easier to filter back out, I figured I could just retranslate it to 6112 before I sent it out. Basically, I don't have a clue how to do these rules, and most information about iptables is extremely confusing to me.

iptables -A FORWARD -s 0/0 -i eth0 -d -o lo0 -p TCP --dport 6113 -j ACCEPT
I was thinking something like this might work:
iptables -t nat -A PREROUTING -p tcp -d --dport 6113 -j DNAT --to-destination
But it didn't :/ I'm sure it's something simple I'm missing, but I've yet to spot it. Most sites I've run into expect you to know everything there is to know about iptables, then they point a couple things out, and slap an example up. Usually it's overly complex for what I'm trying to achieve. Once I have it where I can forward traffic to my other machine, I'm just going to set it up to throw out all other incoming traffic.

(Granted, I've found two very good sites for reference, but they only really show how the command syntax is, they don't go into detail how one might apply such information)

This way, I can essentially move my NATing off of my DSL modem. Most things that require incoming ports are on my linux computer, I only really want to forward a handful of stuff to my windows machine, but in those cases where something needs to be quickly forwarded, I don't want to have to stop everything I'm doing, disconnect from everything, edit modem config, restart, etc.

Once again, many thanks for your time.

Last edited by Nextrastus; 02-19-2006 at 04:38 PM.
Old 02-19-2006, 05:00 PM   #4
LQ Newbie
Registered: Feb 2006
Posts: 3

Original Poster
Rep: Reputation: 0
valid RFC1918 reserved network block on a LAN
As for the approved network blocks, I hate typing out more than I have to. has always worked in the past for me. If I was doing this professionally, or for someone else, yes, I would go ahead and use something like, but since it's just for me, I didn't really see a point in caring.
Old 05-02-2006, 09:41 PM   #5
Red Hat India
Registered: Nov 2004
Location: Kerala/Pune,india
Distribution: RedHat, Fedora
Posts: 260

Rep: Reputation: 34
Hello Nextrastus,

Why don't you create a virtual adapter and route all your data coming on the interface eth0 to the newly created one? Having created the virtual adapter, you can forward the incoming data by using NAT in iptables. I think this would work in your scenario, please update us with the details, in case.

Old 09-18-2013, 09:55 AM   #6
LQ Newbie
Registered: Sep 2013
Posts: 1

Rep: Reputation: Disabled
Port/Address forwarding with iptables with one network interface

this is what was missing here : iptables -t nat -A POSTROUTING -j MASQUERADE

so what you acctualy should do is :

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -s 0/0 -p tcp -d x.x.x.x --dport 6112 -j DNAT --to y.y.y.y:6112
iptables -t nat -A POSTROUTING -j MASQUERADE

where x.x.x.x is the server IP you want to forward the port from , and y.y.y.y is the destination server IP

hope this helps

Last edited by piotrm; 09-18-2013 at 10:01 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
Port Forwarding per IP Address Linux and Win2k3 carl.waldbieser Linux - Networking 1 01-05-2006 05:47 PM
how to set a static ip address or do port forwarding? cd1680 Linux - Networking 13 03-27-2005 06:58 PM
IPTABLES port forwarding sal_paradise42 Linux - Networking 5 10-25-2003 04:11 PM
IPTABLES port forwarding to internal network ivanros Linux - Networking 2 12-28-2002 10:19 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:27 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration