Iptables 1 port forwarding (solved)

Issues related to configuring your network
Post Reply
User avatar
Stray Queen Hook
Posts: 2
Joined: 2018/05/07 10:37:56

Iptables 1 port forwarding (solved)

Post by Stray Queen Hook » 2018/05/07 10:55:30

Hi,

Please help me to forward 1 port (tcp and udp) to client.
Centos 6 has L2TP/IPSec server on it.
There's only 1 client that connects to VPN server and acquires a static IP address (192.168.42.43).

This is how /etc/sysconfig/iptables looked like before I started trying to do it:

Code: Select all

# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188554:43325147]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP 
-A INPUT -m conntrack --ctstate INVALID -j DROP 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT 
-A INPUT -p udp -m udp --dport 1701 -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -m conntrack --ctstate INVALID -j DROP 
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i ppp+ -o eth0 -j ACCEPT 
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT 
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j DROP  
COMMIT
# Completed on Mon May  7 00:25:03 2018
# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*nat
:PREROUTING ACCEPT [53:3049]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [10:712]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE 
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Mon May  7 00:25:03 2018
Then I executed this commands:

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 77.1.204.240
iptables -A INPUT -p udp --dport 62841 -j ACCEPT
iptables -A INPUT -p tcp --dport 62841 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.42.43 --dport 62841 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.42.43 --dport 62841 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 62841 -j DNAT --to 192.168.42.43:62841
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 62841 -j DNAT --to 192.168.42.43:62841
...so it looks like this:

Code: Select all

# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188554:43325147]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP 
-A INPUT -m conntrack --ctstate INVALID -j DROP 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT 
-A INPUT -p udp -m udp --dport 1701 -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -p tcp -m tcp --dport 62841 -j ACCEPT 
-A INPUT -p udp -m udp --dport 62841 -j ACCEPT 
-A FORWARD -m conntrack --ctstate INVALID -j DROP 
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i ppp+ -o eth0 -j ACCEPT 
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT 
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j DROP 
-A FORWARD -d 192.168.42.43/32 -p udp -m udp --dport 62841 -j ACCEPT 
-A FORWARD -d 192.168.42.43/32 -p tcp -m tcp --dport 62841 -j ACCEPT 
COMMIT
# Completed on Mon May  7 00:25:03 2018
# Generated by iptables-save v1.4.7 on Mon May  7 00:25:03 2018
*nat
:PREROUTING ACCEPT [53:3049]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [10:712]
-A PREROUTING -i eth0 -p udp -m udp --dport 62841 -j DNAT --to-destination 192.168.42.43:62841
-A PREROUTING -i eth0 -p tcp -m tcp --dport 62841 -j DNAT --to-destination 192.168.42.43:62841
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE 
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE 
-A POSTROUTING -o eth0 -j SNAT --to-source 193.124.185.66 
COMMIT
# Completed on Mon May  7 00:25:03 2018
Sadly, port 62841 is still inaccessible on 192.168.42.43...
I also tried to comment these lines:

Code: Select all

##-A FORWARD -j DROP 
##-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
Thanks in advance!
Last edited by Stray Queen Hook on 2018/05/07 11:16:47, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 23176
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Iptables 1 port forwarding

Post by TrevorH » 2018/05/07 10:59:33

-A INPUT -j REJECT --reject-with icmp-host-prohibited
See that rule about half way down? Once it hits that, everything stops processing and any subsequent rules are ignored. You need to -I insert the new rules before that one, not -A append them after it.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
Stray Queen Hook
Posts: 2
Joined: 2018/05/07 10:37:56

Re: Iptables 1 port forwarding (solved)

Post by Stray Queen Hook » 2018/05/07 11:13:46

TrevorH wrote:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
See that rule about half way down? Once it hits that, everything stops processing and any subsequent rules are ignored. You need to -I insert the new rules before that one, not -A append them after it.
You're wonderful!
Thank you very much!

Post Reply