[CentOS] iptables port forwarding

Marian Marinov mm at yuhu.biz
Mon Jun 27 04:20:10 UTC 2011


On Monday 27 June 2011 07:15:33 muiz wrote:
> Marian,  I'm very happy you're online :)I think I have try the record you
> mention just now. And I would like to clear what I have done (the scripts
> I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080
> --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
> 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 >
> /proc/sys/net/ipv4/ip_fowardThen it's not to work!

You have to have some other iptables rules that block the traffic since this has 
to work.

Marian

> At 2011-06-27,"Marian Marinov" <mm at yuhu.biz> wrote:
> >On Monday 27 June 2011 06:50:27 muiz wrote:
> >> Dear Marian and all,
> >> 
> >>   It seems don't works:
> >> /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
> >> a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
> >> 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 >
> >> /proc/sys/net/ipv4/ip_foward
> >
> >Yup, its normal not to work... You got the SNAT rule wrong :)
> >
> >It should be to the IP of the server that is DOING the forwarding...
> >
> >so
> >
> >/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0
> >--to 192.168.1.250
> >
> >Marian
> >
> >> I check the Fedora iptables setting:  /etc/sysconfig/iptables files:
> >> ...
> >> 
> >> :POSTROUTING ACCEPT [0:0]
> >> 
> >> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
> >> a.b.c.d:8080 ....
> >> 
> >> :OUTPUT ACCEPT [0:0]
> >> 
> >> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
> >> 8080 -j ACCEPT
> >> 
> >> 
> >> And more rules I add is :
> >> /sbin/iptables -t nat -A POSTROUTING -d  a.b.c.d -p tcp --dport 8080 -j
> >> MASQUERADE
> >> 
> >> 
> >> Then it works!  But if I don't use system-config-firewall GUI tools,
> >> then how?
> >> 
> >> 
> >> 
> >> 
> >> Thanks very much !
> >> 
> >> At 2011-06-27,"Marian Marinov" <mm at yuhu.biz> wrote:
> >> >On Monday 27 June 2011 00:08:08 muiz wrote:
> >> >> Thanks  Marian,
> >> >> The server only has one IP. I think I should add more iptables
> >> >> records, only one NAT record is not enough,isit correct?  If yes ,
> >> >> then how?
> >> >
> >> >Huh, I'm sorry yes you need a second rule. So the rules are:
> >> >iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
> >> >a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s
> >> >local_ip/local_net --to 192.168.1.250
> >> >echo 1 > /proc/sys/net/ipv4/ip_foward
> >> >
> >> >The Source NAT(SNAT) rule is needed, cause otherwise the packaets that
> >> >reach a.b.c.d will be comming from the ip of the local client not
> >> >192.168.1.250 and so 192.168.1.250 will never receive the replies from
> >> >a.b.c.d.
> >> >Since the packets reach the client directly from a.b.c.d, the client
> >> >will simply disregard them and will wait for packets comming from
> >> >.1.250.
> >> >
> >> >So the SNAT rule changes the SOURCE IP of the packets to 1.250 so
> >> >a.b.c.d will return the answares to the right source.
> >> >
> >> >Marian
> >> >
> >> >>  2011-06-26 23:38:58,"Marian Marinov" <mm at yuhu.biz> wrote:
> >> >>  
> >> >> >On Sunday 26 June 2011 12:53:07 muiz wrote:
> >> >> >> Dear all,
> >> >> >> 
> >> >> >>   I would like to forward a port to an internet server, but
> >> >> >>   failed. can you
> >> >> >> 
> >> >> >> help me? Server:  eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6
> >> >> >> Remote server:   IP: a.b.c.d  Port: 8181
> >> >> >> 
> >> >> >> 
> >> >> >> Forward path:  client1(192.168.1.10) -> 192.168.1.250:8080
> >> >> >> (forward) -> a.b.c.d  Port: 8181
> >> >> >> ----------------------------------------- In Fedora, I
> >> >> >> successfully to config the firewall using
> >> >> >> system-config-firewall and iptables command: 1. Run
> >> >> >> system-config-firewall
> >> >> >> 
> >> >> >>  1.1 open local port 8080
> >> >> >>  1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
> >> >> >> 
> >> >> >> 2. echo 1 > /proc/sys/net/ipv4/ip_foward
> >> >> >> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
> >> >> >> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
> >> >> >> 
> >> >> >> 
> >> >> >> 
> >> >> >> 
> >> >> >> Thanks !
> >> >> >
> >> >> >You have to use Destination NAT for the job:
> >> >> >
> >> >> >iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
> >> >> >a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
> >> >> >
> >> >> >If you have more then one IPs on the local machine its a good idea
> >> >> >to specify the destination -d 192.168.1.250
> >> >> >
> >> >> >Marian
> >> >> 
> >> >> _______________________________________________
> >> >> CentOS mailing list
> >> >> CentOS at centos.org
> >> >> http://lists.centos.org/mailman/listinfo/centos

-- 
Best regards,
Marian Marinov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20110627/278bd62f/attachment.sig>


More information about the CentOS mailing list