[CentOS] iptables port forwarding
muiz
muiz at 163.com
Mon Jun 27 07:05:07 UTC 2011
Dear all,
Below is my iptables default settings: (only open port 22 and 8080 (webcache))
-------------------------------------------------------------------------------------------------------------
[root at localhost ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-------------------------------------------------------------------------------------------------------------
To Ljubomir:
The remote server a.b.c.d services port 8181. And local server forward its port 8080 to remote 8181.
At 2011-06-27,"Ljubomir Ljubojevic" <office at plnet.rs> wrote:
>Marian Marinov wrote:
>> On Monday 27 June 2011 07:15:33 muiz wrote:
>>> Marian, I'm very happy you're online :)I think I have try the record you
>>> mention just now. And I would like to clear what I have done (the scripts
>>> I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080
>>> --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>> 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 >
>>> /proc/sys/net/ipv4/ip_fowardThen it's not to work!
>>
>> You have to have some other iptables rules that block the traffic since this has
>> to work.
>>
>> Marian
>>
>>> At 2011-06-27,"Marian Marinov" <mm at yuhu.biz> wrote:
>>>> On Monday 27 June 2011 06:50:27 muiz wrote:
>>>>> Dear Marian and all,
>>>>>
>>>>> It seems don't works:
>>>>> /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>> a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>>>> 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 >
>>>>> /proc/sys/net/ipv4/ip_foward
>>>> Yup, its normal not to work... You got the SNAT rule wrong :)
>>>>
>>>> It should be to the IP of the server that is DOING the forwarding...
>>>>
>>>> so
>>>>
>>>> /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0
>>>> --to 192.168.1.250
>>>>
>>>> Marian
>>>>
>>>>> I check the Fedora iptables setting: /etc/sysconfig/iptables files:
>>>>> ...
>>>>>
>>>>> :POSTROUTING ACCEPT [0:0]
>>>>>
>>>>> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
>>>>> a.b.c.d:8080 ....
>>>>>
>>>>> :OUTPUT ACCEPT [0:0]
>>>>>
>>>>> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
>>>>> 8080 -j ACCEPT
>>>>>
>>>>>
>>>>> And more rules I add is :
>>>>> /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j
>>>>> MASQUERADE
>>>>>
>>>>>
>>>>> Then it works! But if I don't use system-config-firewall GUI tools,
>>>>> then how?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks very much !
>>>>>
>>>>> At 2011-06-27,"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>>> On Monday 27 June 2011 00:08:08 muiz wrote:
>>>>>>> Thanks Marian,
>>>>>>> The server only has one IP. I think I should add more iptables
>>>>>>> records, only one NAT record is not enough,isit correct? If yes ,
>>>>>>> then how?
>>>>>> Huh, I'm sorry yes you need a second rule. So the rules are:
>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>> a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s
>>>>>> local_ip/local_net --to 192.168.1.250
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>
>>>>>> The Source NAT(SNAT) rule is needed, cause otherwise the packaets that
>>>>>> reach a.b.c.d will be comming from the ip of the local client not
>>>>>> 192.168.1.250 and so 192.168.1.250 will never receive the replies from
>>>>>> a.b.c.d.
>>>>>> Since the packets reach the client directly from a.b.c.d, the client
>>>>>> will simply disregard them and will wait for packets comming from
>>>>>> .1.250.
>>>>>>
>>>>>> So the SNAT rule changes the SOURCE IP of the packets to 1.250 so
>>>>>> a.b.c.d will return the answares to the right source.
>>>>>>
>>>>>> Marian
>>>>>>
>>>>>>> 2011-06-26 23:38:58,"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>>>>
>>>>>>>> On Sunday 26 June 2011 12:53:07 muiz wrote:
>>>>>>>>> Dear all,
>>>>>>>>>
>>>>>>>>> I would like to forward a port to an internet server, but
>>>>>>>>> failed. can you
>>>>>>>>>
>>>>>>>>> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6
>>>>>>>>> Remote server: IP: a.b.c.d Port: 8181
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080
>>>>>>>>> (forward) -> a.b.c.d Port: 8181
>>>>>>>>> ----------------------------------------- In Fedora, I
>>>>>>>>> successfully to config the firewall using
>>>>>>>>> system-config-firewall and iptables command: 1. Run
>>>>>>>>> system-config-firewall
>>>>>>>>>
>>>>>>>>> 1.1 open local port 8080
>>>>>>>>> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
>>>>>>>>>
>>>>>>>>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
>>>>>>>>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks !
>>>>>>>> You have to use Destination NAT for the job:
>>>>>>>>
>>>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>>>> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>
>>>>>>>> If you have more then one IPs on the local machine its a good idea
>>>>>>>> to specify the destination -d 192.168.1.250
>>>>>>>>
>>>>>>>> Marian
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>Actually, very BIG difference in two scripts is that on Fedora he
>redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port
>8181!!!
>
>And if correction of the port does not help, then he can try with
>additional rule:
>
>-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
>
>
>Ljubomir
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>http://lists.centos.org/mailman/listinfo/centos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110627/9f5861ca/attachment.html>
More information about the CentOS
mailing list