Please help me to forward 1 port (tcp and udp) to client.
Centos 6 has L2TP/IPSec server on it.
There's only 1 client that connects to VPN server and acquires a static IP address (192.168.42.43).
This is how /etc/sysconfig/iptables looked like before I started trying to do it:
Code: Select all
# Generated by iptables-save v1.4.7 on Mon May 7 00:25:03 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188554:43325147]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DROP
COMMIT
# Completed on Mon May 7 00:25:03 2018
# Generated by iptables-save v1.4.7 on Mon May 7 00:25:03 2018
*nat
:PREROUTING ACCEPT [53:3049]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [10:712]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Mon May 7 00:25:03 2018
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 77.1.204.240
iptables -A INPUT -p udp --dport 62841 -j ACCEPT
iptables -A INPUT -p tcp --dport 62841 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.42.43 --dport 62841 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.42.43 --dport 62841 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 62841 -j DNAT --to 192.168.42.43:62841
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 62841 -j DNAT --to 192.168.42.43:62841
Code: Select all
# Generated by iptables-save v1.4.7 on Mon May 7 00:25:03 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188554:43325147]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 62841 -j ACCEPT
-A INPUT -p udp -m udp --dport 62841 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DROP
-A FORWARD -d 192.168.42.43/32 -p udp -m udp --dport 62841 -j ACCEPT
-A FORWARD -d 192.168.42.43/32 -p tcp -m tcp --dport 62841 -j ACCEPT
COMMIT
# Completed on Mon May 7 00:25:03 2018
# Generated by iptables-save v1.4.7 on Mon May 7 00:25:03 2018
*nat
:PREROUTING ACCEPT [53:3049]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [10:712]
-A PREROUTING -i eth0 -p udp -m udp --dport 62841 -j DNAT --to-destination 192.168.42.43:62841
-A PREROUTING -i eth0 -p tcp -m tcp --dport 62841 -j DNAT --to-destination 192.168.42.43:62841
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -o eth0 -j SNAT --to-source 77.1.204.240
COMMIT
# Completed on Mon May 7 00:25:03 2018
I also tried to comment these lines:
Code: Select all
##-A FORWARD -j DROP
##-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE