Iptables Forward and Input

How can I port forward with iptables?

First of all - you should check if forwarding is allowed at all:

cat /proc/sys/net/ipv4/conf/ppp0/forwarding 
cat /proc/sys/net/ipv4/conf/eth0/forwarding 

If both returns 1 it's ok. If not do the following:

echo '1' | sudo tee /proc/sys/net/ipv4/conf/ppp0/forwarding
echo '1' | sudo tee /proc/sys/net/ipv4/conf/eth0/forwarding

Second thing - DNAT could be applied on nat table only. So, your rule should be extended by adding table specification as well (-t nat):

iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080
iptables -A FORWARD -p tcp -d 192.168.1.200 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Both rules are applied only to TCP traffic (if you want to alter UDP as well, you need to provide similar rules but with -p udp option set).

Last, but not least is routing configuration. Type:

ip route

and check if 192.168.1.0/24 is among returned routing entries.

Use iptables on gateway for port forwarding

You're applying the wrong chains. Packets that are received are first processed by PREROUTING; if they are identified as going to "this" machine, they are handed to INPUT, otherwise to FORWARD and POSTROUTING. The OUTPUT chain only ever applies to packets that are generated locally. The iptables tutorial has a fantastic chapter on this.

Based on an example elsewhere on the internet, to answer your question as posed, you probably just need to do this:

# Packets that arrive for port 7080 should be redirected to port 80
iptables -t nat -A PREROUTING -p tcp --dport 7080 -j REDIRECT --to-ports 80

# Separately, all packets that leave this machine that go to port 80
# (which will include the ones redirected above) should be masqueraded,
# i.e. use NAT:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MSAQUERADE

I'm pretty sure that what you want to do is more complicated, not least because you don't actually say in which direction you want this to happen. If what you actually want to do is just set up a port forward so that your external IP address (let's pretend it's 251.112.112.42) looks to the Internet as if it had a webserver running on its port 7080 - but you're actually serving that from an internal machine (let's say 192.168.42.1) on port 80. That's also easy, just different, and even closer to the example already mentioned:

# Anything sent to your external IP:port gets redirected to the internal one:
iptables -t nat -A PREROUTING -d 251.112.112.42/32 -p tcp --dport 7080 \
    -j DNAT --to-destination 192.168.42.1:80

# Make sure those connections actually work, by rewriting everything back,
# again simply using NAT:
iptables -t nat -A POSTROUTING -d 192.168.42.1 -p tcp -dport 80 -j MASQUERADE

Forwarding traffic to custom key chain in iptables

This is kind of a question for Superuser, but okay. I have my admin hat on today. :P

The main thing is that you can use your chain as a target like ACCEPT, REJECT or DROP, so you want to pass it as -j option, i.e.

iptables -A INPUT -p tcp --dport 22 -j MYSSH

would append a rule to pipe all TCP traffic to port 22 through the MYSSH chain to the INPUT chain.

The other question is where to insert this rule. Generally, when I do this kind of stuff manually (these days I usually use shorewall because its easier to maintain), I just work with iptables -A commands and run them in the right order. In your case, it looks as though you want to insert it as the second or third rule, before the catchall

ACCEPT     all  --  anywhere             anywhere 

rule (although that might have some additionall conditions that iptables -L will not show without -v; I can't know that). Then we're looking at

iptables -I INPUT 2 -p tcp --dport 22 -j MYSSH

or

iptables -I INPUT 3 -p tcp --dport 22 -j MYSSH

depending on where you want it.

Note, by the way, that if this catch-all rule doesn't have additional conditions that I'm not seeing, the rule below it will never be reached.

iptables forward port over two eth cards

Try this:

/sbin/iptables -t nat -I PREROUTING -i eth1 -d 192.168.6.2 -p tcp --dport 8848 -j DNAT --to-destination 192.168.0.3:8848

Now you can access 192.168.6.2:8848 and packets will be sent/nated to 192.168.0.3 on the same port.

iptables put all forwarding rules in prerouting

If a packet does not match any rules in your PREROUTING chain, there is nothing to prevent it from hitting your FORWARD chain, unless you set the default PREROUTING policy to DROP.

Packets only go to the INPUT chain if their destination address is an address that belongs to a local interface on your host. Otherwise, they go to the FORWARD chain, and if they pass that chain AND the ip_forward sysctl is enabled, your system will forward them based on your routing table.

Your system may receive packets that are not destined for a local interface. This is how basic routing works: when your system wants to contact, say, Google's dns server at 8.8.8.8, packets are sent to your local default gateway, which receives and routes them even though the destination address is somewhere else entirely.

Your system may explicitly route traffic for physical networks to which it is attached or for containers or virtual machines hosted on the system. All of these involve your system accepting and forwarding packets that do not match a local interface.

iptables FORWARD rule blocking return traffic

I solved this by adding

iptables -A FORWARD -i tun1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

which allows established connections to return. Everything works as desired now.

---

Related Topics