goldfisch knowledgebase : portforward with iptables

goldfisch.at-knowledgebase (by peter pilsl)


	portforward with iptables keywords : ip-tables masquerading forward I've a standalone-server in internet : SERVER-A and another standalone-server in internet : SERVER-B both servers are in different regions of this universe, but for some reason I need to portforward PORT-A on SERVER-A to PORT-B on SERVER-B. solution is iptables. In my case SERVER-A is a old kernel 2.4-machine and all manuals and howtos on the internet did not solve my problem until Pascal Hambourg on c.o.l.n helped me out with my rules and pointed me to the following: http://jengelh.medozas.de/images/dnat-mistake.png After this I was able to finish my port-forward-script: echo 1 > /proc/sys/net/ipv4/ip_forward echo processing flush /usr/local/sbin/iptables -F FORWARD /usr/local/sbin/iptables -F INPUT /usr/local/sbin/iptables -F OUTPUT echo processing flush -t nat /usr/local/sbin/iptables -t nat -F POSTROUTING /usr/local/sbin/iptables -t nat -F PREROUTING echo processing policy/ACCEPT /usr/local/sbin/iptables -P FORWARD ACCEPT /usr/local/sbin/iptables -P INPUT ACCEPT /usr/local/sbin/iptables -P OUTPUT ACCEPT echo processing policy -t nat/ACCEPT /usr/local/sbin/iptables -t nat -P POSTROUTING ACCEPT /usr/local/sbin/iptables -t nat -P PREROUTING ACCEPT echo processing PREROUTING -t nat /usr/local/sbin/iptables -t nat -A PREROUTING -j LOG /usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d SERVER-A --dport PORT-A -j DNAT --to SERVER-B:PORT-B echo processing POSTROUTING -t nat /usr/local/sbin/iptables -t nat -A POSTROUTING -j LOG /usr/local/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth0 -d SERVER-B --dport PORT-B -j SNAT --to-source SERVER-A echo processing FORWARD /usr/local/sbin/iptables -A FORWARD -j LOG /usr/local/sbin/iptables -A FORWARD -p tcp -i eth0 -d SERVER-B --dport PORT-B -j ACCEPT /usr/local/sbin/iptables -A FORWARD -p tcp -o eth0 -s SERVER-B --sport PORT-B -j ACCEPT peter at 2009-04-26 (updated 2009-04-26) serial : 427 *If you found any nonsense in this entry or want to see important improvements, I would appreatiate to receive your comments at knowledge@goldfisch.at* disclaimer : all these entries are part of my very private knowledgebase that I created while solving problems. Many solutions are taken from other webpages or from usenet. There is no warranty for this entries of course. Some of the articles are even stupid and one day you might even find the name of my prefered pizza-service in here, cause I always forget about it. Remember : This is my knowledgebase. If you need professional support and are willing to pay for it just email me at pilsl@goldfisch.at For enlightment take a look at http://leblogsportif.sportnation.at

portforward with iptables

keywords : ip-tables masquerading forward

I've a standalone-server in internet : SERVER-A

and another standalone-server in internet : SERVER-B

both servers are in different regions of this universe, but for some reason I need to portforward PORT-A on SERVER-A to PORT-B on SERVER-B.

solution is iptables. In my case SERVER-A is a old kernel 2.4-machine and all manuals and howtos on the internet did not solve my problem until Pascal Hambourg on c.o.l.n helped me out with my rules and pointed me to the following:

http://jengelh.medozas.de/images/dnat-mistake.png

After this I was able to finish my port-forward-script:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo processing flush
/usr/local/sbin/iptables -F FORWARD
/usr/local/sbin/iptables -F INPUT
/usr/local/sbin/iptables -F OUTPUT
echo processing flush -t nat
/usr/local/sbin/iptables -t nat -F POSTROUTING
/usr/local/sbin/iptables -t nat -F PREROUTING
echo processing policy/ACCEPT
/usr/local/sbin/iptables -P FORWARD ACCEPT
/usr/local/sbin/iptables -P INPUT ACCEPT
/usr/local/sbin/iptables -P OUTPUT ACCEPT
echo processing policy -t nat/ACCEPT
/usr/local/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/local/sbin/iptables -t nat -P PREROUTING ACCEPT
echo processing PREROUTING -t nat
/usr/local/sbin/iptables -t nat -A PREROUTING -j LOG
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d SERVER-A --dport PORT-A -j DNAT --to SERVER-B:PORT-B
echo processing POSTROUTING -t nat
/usr/local/sbin/iptables -t nat -A POSTROUTING -j LOG
/usr/local/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth0 -d SERVER-B --dport PORT-B -j SNAT --to-source SERVER-A
echo processing FORWARD
/usr/local/sbin/iptables -A FORWARD -j LOG
/usr/local/sbin/iptables -A FORWARD -p tcp -i eth0 -d SERVER-B --dport PORT-B -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -p tcp -o eth0 -s SERVER-B --sport PORT-B -j ACCEPT

peter at 2009-04-26 (updated 2009-04-26)

serial : 427

If you found any nonsense in this entry or want to see important improvements, I would appreatiate to receive your comments at knowledge@goldfisch.at

disclaimer : all these entries are part of my very private knowledgebase that I created while solving problems. Many solutions are taken from other webpages or from usenet. There is no warranty for this entries of course. Some of the articles are even stupid and one day you might even find the name of my prefered pizza-service in here, cause I always forget about it. Remember : This is my knowledgebase. If you need professional support and are willing to pay for it just email me at pilsl@goldfisch.at
For enlightment take a look at http://leblogsportif.sportnation.at