iptables routing

Issues related to configuring your network
Post Reply
jst7
Posts: 1
Joined: 2017/07/03 11:36:33

iptables routing

Post by jst7 » 2017/07/03 11:43:08

I need to redirect network traffic using iptables.

I use this:
sysctl net.ipv4.ip_forward=1
service network restart

sudo iptables -t nat -A PREROUTING -p tcp -s 192.168.1.215 --dport 990 -j DNAT --to-destination {serverIp}:990
sudo iptables -t nat -A PREROUTING -p tcp -s {serverIp} --dport 990 -j DNAT --to-destination 192.168.1.215:990

iptables -t nat -A POSTROUTING -j MASQUERADE

*in ubuntu it works.
Do you know what it's wrong?

Thanks

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables routing

Post by TrevorH » 2017/07/03 15:25:13

sudo iptables -t nat -A PREROUTING -p tcp -s 192.168.1.215 --dport 990 -j DNAT --to-destination {serverIp}:990
sudo iptables -t nat -A PREROUTING -p tcp -s {serverIp} --dport 990 -j DNAT --to-destination 192.168.1.215:990
Are you sure you meant to use -s in both of those?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables routing

Post by jlehtone » 2017/07/07 12:56:38

Why two rules and why the blanket SNAT?

AFAIK, when A sends packet to B and B redirects it to new destination, C,
the B retains a state of that connection so that replies from C will be automatically
relabeled with "from=B".

That assumes that C replies to A via B.


There is an another part missing. The B has received a packet. Prerouting has
tampered the packet into (from=A, to=C). Now comes routing. This packet is not
for B and thus B must forward it. The net.ipv4.ip_forward=1 allows forwarding.
Forwarded packets enter the netfilter's FORWARD chain. Default setup has only
one rule in FORWARD and that is REJECT.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables routing

Post by TrevorH » 2017/07/07 15:05:24

Also service network restart resets that...

Code: Select all

[root@centos7 ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
[root@centos7 ~]# sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@centos7 ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
[root@centos7 ~]# sc restart network
[root@centos7 ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply