A simple iptables port forwarder

Issues related to configuring your network
Post Reply
oshani@iucc.ac.il
Posts: 2
Joined: 2018/04/22 11:28:45

A simple iptables port forwarder

Post by oshani@iucc.ac.il » 2018/04/22 11:47:09

Hi All,

I am trying to set up a simple iptables port forwarder. I would simply like to forward nodeA:8080 to nodeB:80 . I found several examples online but none of them seem to work. Even more, most of them include setting up a new iptables chain with command like this for example:

iptables -t nat -I PREROUTING --src 0/0 --dst nodeB -p tcp --dport 8080 -j REDIRECT --to-ports 80

But when I run these commands and then do iptables -L, I don't see that the PREROUTING chain ( etc. ) is created.

I am really out of my wits here, so please help!

Many thanks,

Oren

User avatar
TrevorH
Forum Moderator
Posts: 23653
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: A simple iptables port forwarder

Post by TrevorH » 2018/04/22 14:03:43

iptables -L only lists the filter table, you have to use -t nat to list the NAT table. Use iptables-save instead, it lists everything.

You also need to enable net.ipv4.ip_forward too
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

oshani@iucc.ac.il
Posts: 2
Joined: 2018/04/22 11:28:45

Re: A simple iptables port forwarder

Post by oshani@iucc.ac.il » 2018/04/23 05:47:39

Thank You TrevorH, However I still can't get it to work. These are the commands I run:

Code: Select all

/sbin/sysctl -w net.ipv4.ip_forward=1

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -p tcp -m tcp -i $sif --dport $dport -j DNAT --to-destination $gaddr

iptables -t nat -A POSTROUTING -o $sif -j MASQUERADE

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -i $sif --dport $dport -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables -A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
And the output of iptables -L -t nat :

Code: Select all

[root@nodea ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.1.1.103
DNAT       tcp  --  anywhere             anywhere             tcp spt:http dpt:http to:10.1.1.103

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere
Maybe I misuderstood, and some of the iptables commands have to be run on the destination machine ( 10.1.1.103 )?

Oren

User avatar
TrevorH
Forum Moderator
Posts: 23653
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: A simple iptables port forwarder

Post by TrevorH » 2018/04/23 06:15:07

iptables -A FORWARD -p tcp -m tcp -i $sif --dport $dport -m conntrack --ctstate NEW -j ACCEPT
Why are you only forwarding NEW connections? What about all the other states? They'll just get ignored...
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

tomkep
Posts: 17
Joined: 2018/04/25 13:30:50

Re: A simple iptables port forwarder

Post by tomkep » 2018/04/30 20:40:27

That's not true. This line:

Code: Select all

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
will cover them...

How is your HW setup looking like? Do you route between two interfaces (one being $sif, likely external and another one with connection to $gaddr, perhaps eth1)? Or both source and destination machine are on the same network segment (connected through one, $sif interface)?

Post Reply