iptables port forwarding not working

Posted on 2007-07-30
Medium Priority
Last Modified: 2012-05-05
I want to port forward to a computer on my LAN. I am using iptables on an unbuntu dapper drake (LTS 6.06) server that functions as gateway, webserver and (to my LAN) DHCP server. I flush both nat and iptables and start from scratch:

   iptables -A PREROUTING -t nat -p tcp --dport 5500 -i eth0 -j DNAT --to-destination

   iptables -I FORWARD 1 -d -p tcp --dport 5500 -j ACCEPT

Then I add my "regular" NAT capabilities:

   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
      -j ACCEPT
   iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

The above is not working. I verify this using t4eportping, a command line utility. I also try using UltraVNC viewer in listen mode, the purpose for the forward in the first place. It doesn't work.

I run:

   iptables -L


   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination

   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     tcp  --  anywhere           tcp dpt:5500
   ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
   ACCEPT     all  --  anywhere             anywhere

   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination

Is there another place, other than iptables, where port forwarding must be enabled?

If not, why is the above not working?
Question by:greenftechn
  • 2
  • 2
LVL 15

Accepted Solution

m1tk4 earned 2000 total points
ID: 19594225
You need a second rule that would reverse-NAT the traffic from It would look like

iptables -A POSTROUTING -s -j SNAT --to-source ((your external IP here)

What happens is that the packets probably reach your 0.15 server but the responses do not go back through the firewall.

if this does not work, post the output of your iptables-save command here.

If you are planning to do something more extensive than just this port forward with this server, I'd recommend shorewall over hacking iptables manually.
LVL 15

Expert Comment

ID: 19594250
Masquerading is not enough because it is triggered by the first packet that goes out. Because the response packets from 0.15 to an incoming connection are "ESTABLISHED", masquerade does not work.

You could also try troubleshooting the problem using tcpdump of a specific port.

Author Comment

ID: 19594591
Yes, the postrouting added to the nat table did the trick! Of course, you missed "-t nat" at the beginning, but I was able to pick up on that when I tried typing it as given and got the error message.

 I tried shorewall when I first set up my gateway, but wasn't able to get it work, go figure. It seemed like it should be easy, but getting basic firewall configuration and NAT was very easy with iptables alone. I may give it another go when I am not busy, and my network becomes more complex.

Author Comment

ID: 19594627
One additional comment, the packets were indeed reaching the computer, as you said. Furthermore, your mentioning that they probably were reminded me that I had ethereal installed on the LAN computer I wished to reach. With that, I was able to see exactly what was happening.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question