[CentOS] iptables port forwarding

Mon Jun 27 07:15:32 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

muiz wrote:
> Dear all,
>      Below is my iptables default settings: (only open port 22 and 8080 
> (webcache))
> -------------------------------------------------------------------------------------------------------------
> [root at localhost ~]# /sbin/iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:webcache
> REJECT     all  --  anywhere             anywhere            reject-with 
> icmp-host-prohibited
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> REJECT     all  --  anywhere             anywhere            reject-with 
> icmp-host-prohibited
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> -------------------------------------------------------------------------------------------------------------
> 
> To Ljubomir:
> The remote server a.b.c.d services port 8181. And local server forward 
> its port 8080 to remote 8181.
> 
> 
> At 2011-06-27£¬"Ljubomir Ljubojevic" <office at plnet.rs> wrote:
> 
>>Marian Marinov wrote:
>>> On Monday 27 June 2011 07:15:33 muiz wrote:
>>>> Marian,  I'm very happy you're online :)I think I have try the record you
>>>> mention just now. And I would like to clear what I have done (the scripts
>>>> I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080
>>>> --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>>> 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 >
>>>> /proc/sys/net/ipv4/ip_fowardThen it's not to work!
>>> 
>>> You have to have some other iptables rules that block the traffic since this has 
>>> to work.
>>> 
>>> Marian
>>> 
>>>> At 2011-06-27£¬"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>> On Monday 27 June 2011 06:50:27 muiz wrote:
>>>>>> Dear Marian and all,
>>>>>>
>>>>>>   It seems don't works:
>>>>>> /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>> a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>>>>> 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 >
>>>>>> /proc/sys/net/ipv4/ip_foward
>>>>> Yup, its normal not to work... You got the SNAT rule wrong :)
>>>>>
>>>>> It should be to the IP of the server that is DOING the forwarding...
>>>>>
>>>>> so
>>>>>
>>>>> /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0
>>>>> --to 192.168.1.250
>>>>>
>>>>> Marian
>>>>>
>>>>>> I check the Fedora iptables setting:  /etc/sysconfig/iptables files:
>>>>>> ...
>>>>>>
>>>>>> :POSTROUTING ACCEPT [0:0]
>>>>>>
>>>>>> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
>>>>>> a.b.c.d:8080 ....
>>>>>>
>>>>>> :OUTPUT ACCEPT [0:0]
>>>>>>
>>>>>> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
>>>>>> 8080 -j ACCEPT
>>>>>>
>>>>>>
>>>>>> And more rules I add is :
>>>>>> /sbin/iptables -t nat -A POSTROUTING -d  a.b.c.d -p tcp --dport 8080 -j
>>>>>> MASQUERADE
>>>>>>
>>>>>>
>>>>>> Then it works!  But if I don't use system-config-firewall GUI tools,
>>>>>> then how?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks very much !
>>>>>>
>>>>>> At 2011-06-27£¬"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>>>> On Monday 27 June 2011 00:08:08 muiz wrote:
>>>>>>>> Thanks  Marian,
>>>>>>>> The server only has one IP. I think I should add more iptables
>>>>>>>> records, only one NAT record is not enough,isit correct?  If yes ,
>>>>>>>> then how?
>>>>>>> Huh, I'm sorry yes you need a second rule. So the rules are:
>>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>>> a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s
>>>>>>> local_ip/local_net --to 192.168.1.250
>>>>>>> echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>
>>>>>>> The Source NAT(SNAT) rule is needed, cause otherwise the packaets that
>>>>>>> reach a.b.c.d will be comming from the ip of the local client not
>>>>>>> 192.168.1.250 and so 192.168.1.250 will never receive the replies from
>>>>>>> a.b.c.d.
>>>>>>> Since the packets reach the client directly from a.b.c.d, the client
>>>>>>> will simply disregard them and will wait for packets comming from
>>>>>>> .1.250.
>>>>>>>
>>>>>>> So the SNAT rule changes the SOURCE IP of the packets to 1.250 so
>>>>>>> a.b.c.d will return the answares to the right source.
>>>>>>>
>>>>>>> Marian
>>>>>>>
>>>>>>>>  2011-06-26 23:38:58£¬"Marian Marinov" <mm at yuhu.biz> wrote£º
>>>>>>>>  
>>>>>>>>> On Sunday 26 June 2011 12:53:07 muiz wrote:
>>>>>>>>>> Dear all,
>>>>>>>>>>
>>>>>>>>>>   I would like to forward a port to an internet server, but
>>>>>>>>>>   failed. can you
>>>>>>>>>>
>>>>>>>>>> help me? Server:  eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6
>>>>>>>>>> Remote server:   IP: a.b.c.d  Port: 8181
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Forward path:  client1(192.168.1.10) -> 192.168.1.250:8080
>>>>>>>>>> (forward) -> a.b.c.d  Port: 8181
>>>>>>>>>> ----------------------------------------- In Fedora, I
>>>>>>>>>> successfully to config the firewall using
>>>>>>>>>> system-config-firewall and iptables command: 1. Run
>>>>>>>>>> system-config-firewall
>>>>>>>>>>
>>>>>>>>>>  1.1 open local port 8080
>>>>>>>>>>  1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
>>>>>>>>>>
>>>>>>>>>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
>>>>>>>>>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks !
>>>>>>>>> You have to use Destination NAT for the job:
>>>>>>>>>
>>>>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>>>>> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>>
>>>>>>>>> If you have more then one IPs on the local machine its a good idea
>>>>>>>>> to specify the destination -d 192.168.1.250
>>>>>>>>>
>>>>>>>>> Marian
>>>>>>>> _______________________________________________
>>>>>>>> CentOS mailing list
>>>>>>>> CentOS at centos.org
>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>> 
>>
>>Actually, very BIG difference in two scripts is that on Fedora he 
>>redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port 
>>8181!!!
>>
>>And if correction of the port does not help, then he can try with 
>>additional rule:
>>
>>-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
>>
>>
>>Ljubomir
>>_______________________________________________
>>CentOS mailing list
>>CentOS at centos.org
>>http://lists.centos.org/mailman/listinfo/centos
> 

Please do not top post, write your answers bellow the text, like us.


This is what you posted:
 > I check the Fedora iptables setting:  /etc/sysconfig/iptables files:
 >
 > :POSTROUTING ACCEPT [0:0]
 >
 > -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
 > a.b.c.d:8080 ....
 >
 > :OUTPUT ACCEPT [0:0]
 >
 > -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
 > 8080 -j ACCEPT

"--to-destination a.b.c.d:8080" means your Fedora box is redirecting 
traffic to remote port 8080, not 8181 like you asked on this list.

Ljubomir