[CentOS] iptables port forwarding
Ljubomir Ljubojevic
office at plnet.rs
Mon Jun 27 07:15:32 UTC 2011
muiz wrote:
> Dear all,
> Below is my iptables default settings: (only open port 22 and 8080
> (webcache))
> -------------------------------------------------------------------------------------------------------------
> [root at localhost ~]# /sbin/iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:webcache
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> -------------------------------------------------------------------------------------------------------------
>
> To Ljubomir:
> The remote server a.b.c.d services port 8181. And local server forward
> its port 8080 to remote 8181.
>
>
> At 2011-06-27£¬"Ljubomir Ljubojevic" <office at plnet.rs> wrote:
>
>>Marian Marinov wrote:
>>> On Monday 27 June 2011 07:15:33 muiz wrote:
>>>> Marian, I'm very happy you're online :)I think I have try the record you
>>>> mention just now. And I would like to clear what I have done (the scripts
>>>> I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080
>>>> --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>>> 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 >
>>>> /proc/sys/net/ipv4/ip_fowardThen it's not to work!
>>>
>>> You have to have some other iptables rules that block the traffic since this has
>>> to work.
>>>
>>> Marian
>>>
>>>> At 2011-06-27£¬"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>> On Monday 27 June 2011 06:50:27 muiz wrote:
>>>>>> Dear Marian and all,
>>>>>>
>>>>>> It seems don't works:
>>>>>> /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>> a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>>>>> 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 >
>>>>>> /proc/sys/net/ipv4/ip_foward
>>>>> Yup, its normal not to work... You got the SNAT rule wrong :)
>>>>>
>>>>> It should be to the IP of the server that is DOING the forwarding...
>>>>>
>>>>> so
>>>>>
>>>>> /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0
>>>>> --to 192.168.1.250
>>>>>
>>>>> Marian
>>>>>
>>>>>> I check the Fedora iptables setting: /etc/sysconfig/iptables files:
>>>>>> ...
>>>>>>
>>>>>> :POSTROUTING ACCEPT [0:0]
>>>>>>
>>>>>> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
>>>>>> a.b.c.d:8080 ....
>>>>>>
>>>>>> :OUTPUT ACCEPT [0:0]
>>>>>>
>>>>>> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
>>>>>> 8080 -j ACCEPT
>>>>>>
>>>>>>
>>>>>> And more rules I add is :
>>>>>> /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d -p tcp --dport 8080 -j
>>>>>> MASQUERADE
>>>>>>
>>>>>>
>>>>>> Then it works! But if I don't use system-config-firewall GUI tools,
>>>>>> then how?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks very much !
>>>>>>
>>>>>> At 2011-06-27£¬"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>>>> On Monday 27 June 2011 00:08:08 muiz wrote:
>>>>>>>> Thanks Marian,
>>>>>>>> The server only has one IP. I think I should add more iptables
>>>>>>>> records, only one NAT record is not enough,isit correct? If yes ,
>>>>>>>> then how?
>>>>>>> Huh, I'm sorry yes you need a second rule. So the rules are:
>>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>>> a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s
>>>>>>> local_ip/local_net --to 192.168.1.250
>>>>>>> echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>
>>>>>>> The Source NAT(SNAT) rule is needed, cause otherwise the packaets that
>>>>>>> reach a.b.c.d will be comming from the ip of the local client not
>>>>>>> 192.168.1.250 and so 192.168.1.250 will never receive the replies from
>>>>>>> a.b.c.d.
>>>>>>> Since the packets reach the client directly from a.b.c.d, the client
>>>>>>> will simply disregard them and will wait for packets comming from
>>>>>>> .1.250.
>>>>>>>
>>>>>>> So the SNAT rule changes the SOURCE IP of the packets to 1.250 so
>>>>>>> a.b.c.d will return the answares to the right source.
>>>>>>>
>>>>>>> Marian
>>>>>>>
>>>>>>>> 2011-06-26 23:38:58£¬"Marian Marinov" <mm at yuhu.biz> wrote£º
>>>>>>>>
>>>>>>>>> On Sunday 26 June 2011 12:53:07 muiz wrote:
>>>>>>>>>> Dear all,
>>>>>>>>>>
>>>>>>>>>> I would like to forward a port to an internet server, but
>>>>>>>>>> failed. can you
>>>>>>>>>>
>>>>>>>>>> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6
>>>>>>>>>> Remote server: IP: a.b.c.d Port: 8181
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080
>>>>>>>>>> (forward) -> a.b.c.d Port: 8181
>>>>>>>>>> ----------------------------------------- In Fedora, I
>>>>>>>>>> successfully to config the firewall using
>>>>>>>>>> system-config-firewall and iptables command: 1. Run
>>>>>>>>>> system-config-firewall
>>>>>>>>>>
>>>>>>>>>> 1.1 open local port 8080
>>>>>>>>>> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
>>>>>>>>>>
>>>>>>>>>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
>>>>>>>>>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks !
>>>>>>>>> You have to use Destination NAT for the job:
>>>>>>>>>
>>>>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>>>>> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>>
>>>>>>>>> If you have more then one IPs on the local machine its a good idea
>>>>>>>>> to specify the destination -d 192.168.1.250
>>>>>>>>>
>>>>>>>>> Marian
>>>>>>>> _______________________________________________
>>>>>>>> CentOS mailing list
>>>>>>>> CentOS at centos.org
>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>
>>Actually, very BIG difference in two scripts is that on Fedora he
>>redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port
>>8181!!!
>>
>>And if correction of the port does not help, then he can try with
>>additional rule:
>>
>>-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
>>
>>
>>Ljubomir
>>_______________________________________________
>>CentOS mailing list
>>CentOS at centos.org
>>http://lists.centos.org/mailman/listinfo/centos
>
Please do not top post, write your answers bellow the text, like us.
This is what you posted:
> I check the Fedora iptables setting: /etc/sysconfig/iptables files:
>
> :POSTROUTING ACCEPT [0:0]
>
> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
> a.b.c.d:8080 ....
>
> :OUTPUT ACCEPT [0:0]
>
> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
> 8080 -j ACCEPT
"--to-destination a.b.c.d:8080" means your Fedora box is redirecting
traffic to remote port 8080, not 8181 like you asked on this list.
Ljubomir
More information about the CentOS
mailing list