Hi All,
I am trying to set up a simple iptables port forwarder. I would simply like to forward nodeA:8080 to nodeB:80 . I found several examples online but none of them seem to work. Even more, most of them include setting up a new iptables chain with command like this for example:
iptables -t nat -I PREROUTING --src 0/0 --dst nodeB -p tcp --dport 8080 -j REDIRECT --to-ports 80
But when I run these commands and then do iptables -L, I don't see that the PREROUTING chain ( etc. ) is created.
I am really out of my wits here, so please help!
Many thanks,
Oren
A simple iptables port forwarder
Re: A simple iptables port forwarder
iptables -L only lists the filter table, you have to use -t nat to list the NAT table. Use iptables-save instead, it lists everything.
You also need to enable net.ipv4.ip_forward too
You also need to enable net.ipv4.ip_forward too
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2018/04/22 11:28:45
Re: A simple iptables port forwarder
Thank You TrevorH, However I still can't get it to work. These are the commands I run:
And the output of iptables -L -t nat :
Maybe I misuderstood, and some of the iptables commands have to be run on the destination machine ( 10.1.1.103 )?
Oren
Code: Select all
/sbin/sysctl -w net.ipv4.ip_forward=1
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp -i $sif --dport $dport -j DNAT --to-destination $gaddr
iptables -t nat -A POSTROUTING -o $sif -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -i $sif --dport $dport -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
Code: Select all
[root@nodea ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:10.1.1.103
DNAT tcp -- anywhere anywhere tcp spt:http dpt:http to:10.1.1.103
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
Oren
Re: A simple iptables port forwarder
Why are you only forwarding NEW connections? What about all the other states? They'll just get ignored...iptables -A FORWARD -p tcp -m tcp -i $sif --dport $dport -m conntrack --ctstate NEW -j ACCEPT
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: A simple iptables port forwarder
That's not true. This line:
will cover them...
How is your HW setup looking like? Do you route between two interfaces (one being $sif, likely external and another one with connection to $gaddr, perhaps eth1)? Or both source and destination machine are on the same network segment (connected through one, $sif interface)?
Code: Select all
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
How is your HW setup looking like? Do you route between two interfaces (one being $sif, likely external and another one with connection to $gaddr, perhaps eth1)? Or both source and destination machine are on the same network segment (connected through one, $sif interface)?