How can I port forward with iptables?
First of all - you should check if forwarding is allowed at all:
cat /proc/sys/net/ipv4/conf/ppp0/forwarding
cat /proc/sys/net/ipv4/conf/eth0/forwarding
If both returns 1
it's ok. If not do the following:
echo '1' | sudo tee /proc/sys/net/ipv4/conf/ppp0/forwarding
echo '1' | sudo tee /proc/sys/net/ipv4/conf/eth0/forwarding
Second thing - DNAT
could be applied on nat
table only. So, your rule should be extended by adding table specification as well (-t nat
):
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080
iptables -A FORWARD -p tcp -d 192.168.1.200 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Both rules are applied only to TCP traffic (if you want to alter UDP as well, you need to provide similar rules but with -p udp
option set).
Last, but not least is routing configuration. Type:
ip route
and check if 192.168.1.0/24
is among returned routing entries.
Use iptables on gateway for port forwarding
You're applying the wrong chains. Packets that are received are first processed by PREROUTING; if they are identified as going to "this" machine, they are handed to INPUT, otherwise to FORWARD and POSTROUTING. The OUTPUT chain only ever applies to packets that are generated locally. The iptables tutorial has a fantastic chapter on this.
Based on an example elsewhere on the internet, to answer your question as posed, you probably just need to do this:
# Packets that arrive for port 7080 should be redirected to port 80
iptables -t nat -A PREROUTING -p tcp --dport 7080 -j REDIRECT --to-ports 80
# Separately, all packets that leave this machine that go to port 80
# (which will include the ones redirected above) should be masqueraded,
# i.e. use NAT:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MSAQUERADE
I'm pretty sure that what you want to do is more complicated, not least because you don't actually say in which direction you want this to happen. If what you actually want to do is just set up a port forward so that your external IP address (let's pretend it's 251.112.112.42) looks to the Internet as if it had a webserver running on its port 7080 - but you're actually serving that from an internal machine (let's say 192.168.42.1) on port 80. That's also easy, just different, and even closer to the example already mentioned:
# Anything sent to your external IP:port gets redirected to the internal one:
iptables -t nat -A PREROUTING -d 251.112.112.42/32 -p tcp --dport 7080 \
-j DNAT --to-destination 192.168.42.1:80
# Make sure those connections actually work, by rewriting everything back,
# again simply using NAT:
iptables -t nat -A POSTROUTING -d 192.168.42.1 -p tcp -dport 80 -j MASQUERADE
Forwarding traffic to custom key chain in iptables
This is kind of a question for Superuser, but okay. I have my admin hat on today. :P
The main thing is that you can use your chain as a target like ACCEPT
, REJECT
or DROP
, so you want to pass it as -j
option, i.e.
iptables -A INPUT -p tcp --dport 22 -j MYSSH
would append a rule to pipe all TCP traffic to port 22 through the MYSSH
chain to the INPUT
chain.
The other question is where to insert this rule. Generally, when I do this kind of stuff manually (these days I usually use shorewall because its easier to maintain), I just work with iptables -A
commands and run them in the right order. In your case, it looks as though you want to insert it as the second or third rule, before the catchall
ACCEPT all -- anywhere anywhere
rule (although that might have some additionall conditions that iptables -L
will not show without -v
; I can't know that). Then we're looking at
iptables -I INPUT 2 -p tcp --dport 22 -j MYSSH
or
iptables -I INPUT 3 -p tcp --dport 22 -j MYSSH
depending on where you want it.
Note, by the way, that if this catch-all rule doesn't have additional conditions that I'm not seeing, the rule below it will never be reached.
iptables forward port over two eth cards
Try this:
/sbin/iptables -t nat -I PREROUTING -i eth1 -d 192.168.6.2 -p tcp --dport 8848 -j DNAT --to-destination 192.168.0.3:8848
Now you can access 192.168.6.2:8848 and packets will be sent/nated to 192.168.0.3 on the same port.
iptables put all forwarding rules in prerouting
If a packet does not match any rules in your PREROUTING
chain, there is nothing to prevent it from hitting your FORWARD
chain, unless you set the default PREROUTING
policy to DROP.
Packets only go to the INPUT
chain if their destination address is an address that belongs to a local interface on your host. Otherwise, they go to the FORWARD
chain, and if they pass that chain AND the ip_forward
sysctl is enabled, your system will forward them based on your routing table.
Your system may receive packets that are not destined for a local interface. This is how basic routing works: when your system wants to contact, say, Google's dns server at 8.8.8.8, packets are sent to your local default gateway, which receives and routes them even though the destination address is somewhere else entirely.
Your system may explicitly route traffic for physical networks to which it is attached or for containers or virtual machines hosted on the system. All of these involve your system accepting and forwarding packets that do not match a local interface.
iptables FORWARD rule blocking return traffic
I solved this by adding
iptables -A FORWARD -i tun1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
which allows established connections to return. Everything works as desired now.
Related Topics
Trying to Search Files from User Keyword in Bash
How to Correctly Cleanup and Re-Use Sysv Shared Memory Segments
Graphical Diff Programs for Linux
How to Have Tcpdump Write to File and Standard Output the Appropriate Data
Sed Insert Line with Spaces to a Specific Line
How I Should Run My Golang Process in Background
How to Open a "-" Dashed Filename Using Terminal
How to Register Fuse Filesystem Type with Mount(8) and Fstab
Iproute2 Commands for Mpls Configuration
How to Connect Github Desktop with Cpanel
How to Use "Py" Instead of "Python" at the Command Line in Linux
How to Measure Separate CPU Core Usage for a Process
Find Files in Created Between a Date Range
X11/Xlib.H Not Found in Ubuntu
Compress Files While Reading Data from Stdin
How to Fetch Java Version Using Single Line Command in Linux