Iptables 1 port forwarding (solved)

Issues related to configuring your network
User avatar
Stray Queen Hook
Posts: 2
Joined: 2018/05/07 10:37:56

Iptables 1 port forwarding (solved)

Postby Stray Queen Hook » 2018/05/07 10:55:30

Hi,

Please help me to forward 1 port (tcp and udp) to client.
Centos 6 has L2TP/IPSec server on it.
There's only 1 client that connects to VPN server and acquires a static IP address (192.168.42.43).

This is how /etc/sysconfig/iptables looked like before I started trying to do it:

Code: Select all

# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188554:43325147]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DROP 
COMMIT
# Completed on Mon May  7 00:25:03 2018
# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*nat
:PREROUTING ACCEPT [53:3049]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [10:712]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Mon May  7 00:25:03 2018


Then I executed this commands:

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 77.1.204.240
iptables -A INPUT -p udp --dport 62841 -j ACCEPT
iptables -A INPUT -p tcp --dport 62841 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.42.43 --dport 62841 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.42.43 --dport 62841 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 62841 -j DNAT --to 192.168.42.43:62841
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 62841 -j DNAT --to 192.168.42.43:62841


...so it looks like this:

Code: Select all

# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188554:43325147]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 62841 -j ACCEPT
-A INPUT -p udp -m udp --dport 62841 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DROP
-A FORWARD -d 192.168.42.43/32 -p udp -m udp --dport 62841 -j ACCEPT
-A FORWARD -d 192.168.42.43/32 -p tcp -m tcp --dport 62841 -j ACCEPT
COMMIT
# Completed on Mon May  7 00:25:03 2018
# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*nat
:PREROUTING ACCEPT [53:3049]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [10:712]
-A PREROUTING -i eth0 -p udp -m udp --dport 62841 -j DNAT --to-destination 192.168.42.43:62841
-A PREROUTING -i eth0 -p tcp -m tcp --dport 62841 -j DNAT --to-destination 192.168.42.43:62841
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -o eth0 -j SNAT --to-source 193.124.185.66
COMMIT
# Completed on Mon May  7 00:25:03 2018


Sadly, port 62841 is still inaccessible on 192.168.42.43...
I also tried to comment these lines:

Code: Select all

##-A FORWARD -j DROP
##-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE


Thanks in advance!
Last edited by Stray Queen Hook on 2018/05/07 11:16:47, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 22590
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Iptables 1 port forwarding

Postby TrevorH » 2018/05/07 10:59:33

-A INPUT -j REJECT --reject-with icmp-host-prohibited


See that rule about half way down? Once it hits that, everything stops processing and any subsequent rules are ignored. You need to -I insert the new rules before that one, not -A append them after it.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
Stray Queen Hook
Posts: 2
Joined: 2018/05/07 10:37:56

Re: Iptables 1 port forwarding (solved)

Postby Stray Queen Hook » 2018/05/07 11:13:46

TrevorH wrote:
-A INPUT -j REJECT --reject-with icmp-host-prohibited


See that rule about half way down? Once it hits that, everything stops processing and any subsequent rules are ignored. You need to -I insert the new rules before that one, not -A append them after it.


You're wonderful!
Thank you very much!