LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-18-2012, 08:25 AM   #1
chuikingman
Member
 
Registered: Aug 2009
Posts: 91

Rep: Reputation: 16
iptable port forward between two lan interface


Hi,
How can I config iptables to allow port forwarding from one WAN interface to second lan interface .

In my system I have one wan interface 61.93.204.56 (eth0),and lan interface 10.2.1.52(eth1)
I want to make port forward port no 22 from 61.93.204.56 to
port 22 , 10.2.1.52 , tcp and udp

I try below command but all are not work
Code:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 22 -j DNAT --to-destination 10.2.1.52:22
iptables -A FORWARD -p tcp -d 10.2.1.52 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 22 -j DNAT --to-destination 10.2.1.52:22
iptables -A FORWARD -p udp -d 10.2.1.52 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Code:
iptables -A PREROUTING  -p tcp -m tcp -d 61.93.204.56 --dport 22 -j DNAT --to-destination 10.2.1.52:22

iptables -A FORWARD -m state -p tcp -d 10.2.1.52 --dport 22 --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -p tcp -m tcp -s 10.2.1.52 --sport 22 -j SNAT --to-source 61.93.204.56
Code:
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 22 -j DNAT --to 10.2.1.52:22
iptables -A INPUT -p udp -m state --state NEW --dport 22 -i eth0 -j ACCEPT

iptables -A FORWARD -p tcp -m state --state NEW -d 10.2.1.52 --dport 22 -j ACCEPT

Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j DNAT --to 10.2.1.52:2
iptables -A FORWARD -p tcp -i eth0 -o eth2 -d 10.2.1.52 --dport 22 -j ACCEPT
Please advice how can I make it work .

And how can I open debug for above iptables rule and see what is wrong ???
Please advice ..
 
Old 05-18-2012, 09:55 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,862

Rep: Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151
Why would you want to do this when both IPs are on the same machine?
 
Old 05-18-2012, 05:54 PM   #3
chuikingman
Member
 
Registered: Aug 2009
Posts: 91

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by TenTenths View Post
Why would you want to do this when both IPs are on the same machine?
One for WAN/internet interface ,and another for LAN / internal lan interface .
This machine act as gateway and prevent outside access the internal machine directly .
 
Old 05-19-2012, 01:29 AM   #4
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 14.2, current
Posts: 436

Rep: Reputation: 61
Try this:
Quote:
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A FORWARD --in-interface eth2 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -m tcp --dport 22 -j DNAT --to-destination 10.2.1.52:22
...
- the last line is repeated for another ports

For debugging is the best to use tcpdump or/and wireshark to see the traffic. Also you can use logging in iptables.
Quote:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-level 4
If you insert this before the line of port forwarding rule, you should see all connection for port 22 in logs just before actual forwarding. This way you can find out whether a connection to 22 reaches this forward rule.
- By the way you use DHCP or static IPs?
- Did you configure eth2 to be the gateway for subnet 10.2.1.0/24 (I mean for static 10.2.1.1 for example)?

Last edited by hua; 05-19-2012 at 01:32 AM.
 
Old 05-20-2012, 01:26 AM   #5
chuikingman
Member
 
Registered: Aug 2009
Posts: 91

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by hua View Post
Try this:

- the last line is repeated for another ports

For debugging is the best to use tcpdump or/and wireshark to see the traffic. Also you can use logging in iptables.

If you insert this before the line of port forwarding rule, you should see all connection for port 22 in logs just before actual forwarding. This way you can find out whether a connection to 22 reaches this forward rule.
- By the way you use DHCP or static IPs?
- Did you configure eth2 to be the gateway for subnet 10.2.1.0/24 (I mean for static 10.2.1.1 for example)?
I try below

eth 1 10.2.1.11/24
eth0 61.93.204.56

forwarding from eth0 61.93.204.56 port 22 to eth1 10.2.1.52 port 22

below forward ssh port 22
iptables -t nat -A POSTROUTING --out-interface eth1 -j MASQUERADE
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 -m tcp --dport 22 -j DNAT --to-destination 10.2.1.52:22


It is working .Thankyou
 
Old 05-21-2012, 09:04 AM   #6
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 14.2, current
Posts: 436

Rep: Reputation: 61
Quote:
Originally Posted by chuikingman View Post
It is working .Thankyou
You are welcome
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Port forward from outside world to internal LAN-facing virtualized Win2k3 Server lazarus89 Linux - Networking 3 07-06-2008 11:53 PM
forward port 80 to internal LAN network PC kevint Linux - Security 4 04-24-2006 08:22 AM
Port forward ftp to windoz server (lan) dulaus Linux - Networking 6 06-11-2003 03:08 PM
Port forward blocking internal lan clients dulaus Linux - Security 1 06-06-2003 06:38 PM
Forward port port 80 to lan web server dulaus Linux - Networking 9 10-04-2002 03:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration