Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Server A have two Network Interface Card. eth0 is 58.61.48.159, eth1 is 192.168.2.2/24
Server B have one Network Interface Card,eth0 is 192.168.2.34/24.
Server A and Server B is in Lan.
I want packets from 113.118.110.250 with dport 13306 will be rewritten to 192.168.2.34:3306.
other packets with dport 13306 will be dropped.
here is my iptables,it is port Mappings,I want 113.118.110.250 can access 58.61.48.159's 13306,and other ip can not access 13306,
how to set it?
I try to limit in input chain ,but failed.
Code:
# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
-A POSTROUTING -d 192.168.2.34 -p tcp -m tcp --dport 3306 -j SNAT --to-source 58.61.48.159
COMMIT
# Completed on Sat Nov 28 13:29:40 2015
# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [134:14800]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
##ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# -A INPUT --dport 13306:13306 -j DROP
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT
#-A INPUT -s 113.118.110.250/32 -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT
######################
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 28 13:29:40 2015
Last edited by 624867243@qq.com; 11-30-2015 at 02:27 AM.
I suppose the rules are OK, but they are definitely not in the right order. A packet goes from rule to rule until there is a match. All packets with port 13306 will match the DROP rule, so they will be dropped and processing ends.
Solution: Move the DROP rule after the ACCEPT rules.
Also, --dport doesn't require a range; a single number is sufficient.
I suppose the rules are OK, but they are definitely not in the right order. A packet goes from rule to rule until there is a match. All packets with port 13306 will match the DROP rule, so they will be dropped and processing ends.
Solution: Move the DROP rule after the ACCEPT rules.
Also, --dport doesn't require a range; a single number is sufficient.
like this?
Code:
# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
-A POSTROUTING -d 192.168.2.34 -p tcp -m tcp --dport 3306 -j SNAT --to-source 58.61.48.159
##
-A PREROUTING -s 113.118.110.250 -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
COMMIT
# Completed on Sat Nov 28 13:29:40 2015
# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [134:14800]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
##ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# -A INPUT --dport 13306:13306 -j DROP
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT
#-A INPUT -s 113.118.110.250/32 -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 13306 -j DROP
######################
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 28 13:29:40 2015
Last edited by 624867243@qq.com; 11-30-2015 at 02:16 AM.
Ooops, I hadn't seen the NAT table rules. A packet comes in and will first go into the PREROUTING chain. If its destination port is 13306, the destination is rewritten to be 192.168.2.34:3306. I think this means it won't even to into the INPUT chain (except if 192.168.2.34 is the present system).
Whether it enters the INPUT chain or not, none of the 13306 rules in the INPUT chain will ever match.
It's not clear to me what you want to achieve. Can you confirm it's this:
packets from 113.118.110.250 with dport 13306 will be rewritten to 58.61.48.159:3306
other packets with dport 13306 will be dropped
Correct?
If so, I don't understand the DNAT to 192.168.2.34.
Also, packets will only go through the second POSTROUTING rule if they exit via a different interface than eth0.
Ooops, I hadn't seen the NAT table rules. A packet comes in and will first go into the PREROUTING chain. If its destination port is 13306, the destination is rewritten to be 192.168.2.34:3306. I think this means it won't even to into the INPUT chain (except if 192.168.2.34 is the present system).
Whether it enters the INPUT chain or not, none of the 13306 rules in the INPUT chain will ever match.
It's not clear to me what you want to achieve. Can you confirm it's this:
packets from 113.118.110.250 with dport 13306 will be rewritten to 58.61.48.159:3306
other packets with dport 13306 will be dropped
Correct?
If so, I don't understand the DNAT to 192.168.2.34.
Also, packets will only go through the second POSTROUTING rule if they exit via a different interface than eth0.
Server A have two Network Interface Card. eth0 is 58.61.48.159, eth1 is 192.168.2.2/24
Server B have one Network Interface Card,eth0 is 192.168.2.34/24.
Server A and Server B is in Lan.
I want packets from 113.118.110.250 with dport 13306 will be rewritten to 192.168.2.34:3306.
other packets with dport 13306 will be dropped.
do you understand?
First, let me reveal that I am not that much of an expert with iptables. I want to learn myself.
I think what you want to achieve can be done with two rules in PREROUTING:
Code:
# rewrite destination for packets from whitelisted address. The packet will not enter INPUT.
-A PREROUTING -s 113.118.110.250/32 -m tcp -p tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
# drop anything else
-A PREROUTING -p tcp -m tcp --dport 13306 -j DROP
Also don't forget to enable forwarding.
Since no packets with dport 13306 will enter INPUT, you don't need anything in INPUT.
Nothing in FORWARD either, I would think.
Keep the two POSTROUTING rules; I probably understand them now.
OK please try this out for me, so that I know I am right
First, let me reveal that I am not that much of an expert with iptables. I want to learn myself.
I think what you want to achieve can be done with two rules in PREROUTING:
Code:
# rewrite destination for packets from whitelisted address. The packet will not enter INPUT.
-A PREROUTING -s 113.118.110.250/32 -m tcp -p tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
# drop anything else
-A PREROUTING -p tcp -m tcp --dport 13306 -j DROP
Also don't forget to enable forwarding.
Since no packets with dport 13306 will enter INPUT, you don't need anything in INPUT.
Nothing in FORWARD either, I would think.
Keep the two POSTROUTING rules; I probably understand them now.
OK please try this out for me, so that I know I am right
just one rule can be ok:
-A PREROUTING -s 113.118.110.250 -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
and
"-A PREROUTING -p tcp -m tcp --dport 13306 -j DROP " is redundant.
thank you very much!
Last edited by 624867243@qq.com; 11-30-2015 at 02:59 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.