[CentOS] iptables port forwarding

Mon Jun 27 07:05:07 UTC 2011
muiz <muiz at 163.com>

Dear all,
     Below is my iptables default settings: (only open port 22 and 8080 (webcache))
-------------------------------------------------------------------------------------------------------------
[root at localhost ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
-------------------------------------------------------------------------------------------------------------


To Ljubomir:
The remote server a.b.c.d services port 8181. And local server forward its port 8080 to remote 8181.




At 2011-06-27,"Ljubomir Ljubojevic" <office at plnet.rs> wrote:

>Marian Marinov wrote:
>> On Monday 27 June 2011 07:15:33 muiz wrote:
>>> Marian,  I'm very happy you're online :)I think I have try the record you
>>> mention just now. And I would like to clear what I have done (the scripts
>>> I test):/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080
>>> --to a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>> 192.168.0.0/255.255.255.0 --to 192.168.1.250 echo 1 >
>>> /proc/sys/net/ipv4/ip_fowardThen it's not to work!
>> 
>> You have to have some other iptables rules that block the traffic since this has 
>> to work.
>> 
>> Marian
>> 
>>> At 2011-06-27,"Marian Marinov" <mm at yuhu.biz> wrote:
>>>> On Monday 27 June 2011 06:50:27 muiz wrote:
>>>>> Dear Marian and all,
>>>>>
>>>>>   It seems don't works:
>>>>> /sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>> a.b.c.d:8181 /sbin/iptables -t nat -A POSTROUTING -j SNAT -s
>>>>> 192.168.0.0/255.255.255.0 --to a.b.c.d echo 1 >
>>>>> /proc/sys/net/ipv4/ip_foward
>>>> Yup, its normal not to work... You got the SNAT rule wrong :)
>>>>
>>>> It should be to the IP of the server that is DOING the forwarding...
>>>>
>>>> so
>>>>
>>>> /sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.255.0
>>>> --to 192.168.1.250
>>>>
>>>> Marian
>>>>
>>>>> I check the Fedora iptables setting:  /etc/sysconfig/iptables files:
>>>>> ...
>>>>>
>>>>> :POSTROUTING ACCEPT [0:0]
>>>>>
>>>>> -A PREROUTING -i eth+ -p tcp --dport 8080 -j DNAT --to-destination
>>>>> a.b.c.d:8080 ....
>>>>>
>>>>> :OUTPUT ACCEPT [0:0]
>>>>>
>>>>> -A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d a.b.c.d --dport
>>>>> 8080 -j ACCEPT
>>>>>
>>>>>
>>>>> And more rules I add is :
>>>>> /sbin/iptables -t nat -A POSTROUTING -d  a.b.c.d -p tcp --dport 8080 -j
>>>>> MASQUERADE
>>>>>
>>>>>
>>>>> Then it works!  But if I don't use system-config-firewall GUI tools,
>>>>> then how?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks very much !
>>>>>
>>>>> At 2011-06-27,"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>>> On Monday 27 June 2011 00:08:08 muiz wrote:
>>>>>>> Thanks  Marian,
>>>>>>> The server only has one IP. I think I should add more iptables
>>>>>>> records, only one NAT record is not enough,isit correct?  If yes ,
>>>>>>> then how?
>>>>>> Huh, I'm sorry yes you need a second rule. So the rules are:
>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>> a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s
>>>>>> local_ip/local_net --to 192.168.1.250
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>
>>>>>> The Source NAT(SNAT) rule is needed, cause otherwise the packaets that
>>>>>> reach a.b.c.d will be comming from the ip of the local client not
>>>>>> 192.168.1.250 and so 192.168.1.250 will never receive the replies from
>>>>>> a.b.c.d.
>>>>>> Since the packets reach the client directly from a.b.c.d, the client
>>>>>> will simply disregard them and will wait for packets comming from
>>>>>> .1.250.
>>>>>>
>>>>>> So the SNAT rule changes the SOURCE IP of the packets to 1.250 so
>>>>>> a.b.c.d will return the answares to the right source.
>>>>>>
>>>>>> Marian
>>>>>>
>>>>>>>  2011-06-26 23:38:58,"Marian Marinov" <mm at yuhu.biz> wrote:
>>>>>>>  
>>>>>>>> On Sunday 26 June 2011 12:53:07 muiz wrote:
>>>>>>>>> Dear all,
>>>>>>>>>
>>>>>>>>>   I would like to forward a port to an internet server, but
>>>>>>>>>   failed. can you
>>>>>>>>>
>>>>>>>>> help me? Server:  eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6
>>>>>>>>> Remote server:   IP: a.b.c.d  Port: 8181
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Forward path:  client1(192.168.1.10) -> 192.168.1.250:8080
>>>>>>>>> (forward) -> a.b.c.d  Port: 8181
>>>>>>>>> ----------------------------------------- In Fedora, I
>>>>>>>>> successfully to config the firewall using
>>>>>>>>> system-config-firewall and iptables command: 1. Run
>>>>>>>>> system-config-firewall
>>>>>>>>>
>>>>>>>>>  1.1 open local port 8080
>>>>>>>>>  1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp
>>>>>>>>>
>>>>>>>>> 2. echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d
>>>>>>>>> a.b.c.d -p tcp --dport 8181 -j MASQUERADE That's all.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks !
>>>>>>>> You have to use Destination NAT for the job:
>>>>>>>>
>>>>>>>> iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to
>>>>>>>> a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward
>>>>>>>>
>>>>>>>> If you have more then one IPs on the local machine its a good idea
>>>>>>>> to specify the destination -d 192.168.1.250
>>>>>>>>
>>>>>>>> Marian
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>> 
>
>Actually, very BIG difference in two scripts is that on Fedora he 
>redirects port 8080 to a.b.c.d 8080, but in OP he said a.b.c.d uses port 
>8181!!!
>
>And if correction of the port does not help, then he can try with 
>additional rule:
>
>-A FORWARD -i eth+ -p tcp -d a.b.c.d --dport 8080 -j ACCEPT
>
>
>Ljubomir
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>http://lists.centos.org/mailman/listinfo/centos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110627/9f5861ca/attachment-0004.html>