LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   iptable port forward between two lan interface (https://www.linuxquestions.org/questions/linux-server-73/iptable-port-forward-between-two-lan-interface-945719/)

chuikingman 05-18-2012 08:25 AM
iptable port forward between two lan interface
 
Hi,
How can I config iptables to allow port forwarding from one WAN interface to second lan interface .

In my system I have one wan interface 61.93.204.56 (eth0),and lan interface 10.2.1.52(eth1)
I want to make port forward port no 22 from 61.93.204.56 to
port 22 , 10.2.1.52 , tcp and udp

I try below command but all are not work
Code:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 22 -j DNAT --to-destination 10.2.1.52:22
iptables -A FORWARD -p tcp -d 10.2.1.52 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 22 -j DNAT --to-destination 10.2.1.52:22
iptables -A FORWARD -p udp -d 10.2.1.52 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Code:
iptables -A PREROUTING  -p tcp -m tcp -d 61.93.204.56 --dport 22 -j DNAT --to-destination 10.2.1.52:22

iptables -A FORWARD -m state -p tcp -d 10.2.1.52 --dport 22 --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -p tcp -m tcp -s 10.2.1.52 --sport 22 -j SNAT --to-source 61.93.204.56
Code:
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 22 -j DNAT --to 10.2.1.52:22
iptables -A INPUT -p udp -m state --state NEW --dport 22 -i eth0 -j ACCEPT

iptables -A FORWARD -p tcp -m state --state NEW -d 10.2.1.52 --dport 22 -j ACCEPT

Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j DNAT --to 10.2.1.52:2
iptables -A FORWARD -p tcp -i eth0 -o eth2 -d 10.2.1.52 --dport 22 -j ACCEPT
Please advice how can I make it work .

And how can I open debug for above iptables rule and see what is wrong ???
Please advice ..

TenTenths 05-18-2012 09:55 AM
Why would you want to do this when both IPs are on the same machine?

chuikingman 05-18-2012 05:54 PM
Quote:
Originally Posted by TenTenths (Post 4681869)
Why would you want to do this when both IPs are on the same machine?
One for WAN/internet interface ,and another for LAN / internal lan interface .
This machine act as gateway and prevent outside access the internal machine directly .

hua 05-19-2012 01:29 AM
Try this:
Quote:
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A FORWARD --in-interface eth2 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -m tcp --dport 22 -j DNAT --to-destination 10.2.1.52:22
...
- the last line is repeated for another ports

For debugging is the best to use tcpdump or/and wireshark to see the traffic. Also you can use logging in iptables.
Quote:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-level 4
If you insert this before the line of port forwarding rule, you should see all connection for port 22 in logs just before actual forwarding. This way you can find out whether a connection to 22 reaches this forward rule.
- By the way you use DHCP or static IPs?
- Did you configure eth2 to be the gateway for subnet 10.2.1.0/24 (I mean for static 10.2.1.1 for example)?

chuikingman 05-20-2012 01:26 AM
Quote:
Originally Posted by hua (Post 4682405)
Try this:

- the last line is repeated for another ports

For debugging is the best to use tcpdump or/and wireshark to see the traffic. Also you can use logging in iptables.

If you insert this before the line of port forwarding rule, you should see all connection for port 22 in logs just before actual forwarding. This way you can find out whether a connection to 22 reaches this forward rule.
- By the way you use DHCP or static IPs?
- Did you configure eth2 to be the gateway for subnet 10.2.1.0/24 (I mean for static 10.2.1.1 for example)?
I try below

eth 1 10.2.1.11/24
eth0 61.93.204.56

forwarding from eth0 61.93.204.56 port 22 to eth1 10.2.1.52 port 22

below forward ssh port 22
iptables -t nat -A POSTROUTING --out-interface eth1 -j MASQUERADE
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 -m tcp --dport 22 -j DNAT --to-destination 10.2.1.52:22


It is working .Thankyou

hua 05-21-2012 09:04 AM
Quote:
Originally Posted by chuikingman (Post 4683027)
It is working .Thankyou
You are welcome :)


All times are GMT -5. The time now is 08:35 AM.