iptables port forwarding not working

Posted on 2007-07-30
Last Modified: 2012-05-05
I want to port forward to a computer on my LAN. I am using iptables on an unbuntu dapper drake (LTS 6.06) server that functions as gateway, webserver and (to my LAN) DHCP server. I flush both nat and iptables and start from scratch:

   iptables -A PREROUTING -t nat -p tcp --dport 5500 -i eth0 -j DNAT --to-destination

   iptables -I FORWARD 1 -d -p tcp --dport 5500 -j ACCEPT

Then I add my "regular" NAT capabilities:

   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
      -j ACCEPT
   iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

The above is not working. I verify this using t4eportping, a command line utility. I also try using UltraVNC viewer in listen mode, the purpose for the forward in the first place. It doesn't work.

I run:

   iptables -L


   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination

   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     tcp  --  anywhere           tcp dpt:5500
   ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
   ACCEPT     all  --  anywhere             anywhere

   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination

Is there another place, other than iptables, where port forwarding must be enabled?

If not, why is the above not working?
Question by:greenftechn
    LVL 15

    Accepted Solution

    You need a second rule that would reverse-NAT the traffic from It would look like

    iptables -A POSTROUTING -s -j SNAT --to-source ((your external IP here)

    What happens is that the packets probably reach your 0.15 server but the responses do not go back through the firewall.

    if this does not work, post the output of your iptables-save command here.

    If you are planning to do something more extensive than just this port forward with this server, I'd recommend shorewall over hacking iptables manually.
    LVL 15

    Expert Comment

    Masquerading is not enough because it is triggered by the first packet that goes out. Because the response packets from 0.15 to an incoming connection are "ESTABLISHED", masquerade does not work.

    You could also try troubleshooting the problem using tcpdump of a specific port.

    Author Comment

    Yes, the postrouting added to the nat table did the trick! Of course, you missed "-t nat" at the beginning, but I was able to pick up on that when I tried typing it as given and got the error message.

     I tried shorewall when I first set up my gateway, but wasn't able to get it work, go figure. It seemed like it should be easy, but getting basic firewall configuration and NAT was very easy with iptables alone. I may give it another go when I am not busy, and my network becomes more complex.

    Author Comment

    One additional comment, the packets were indeed reaching the computer, as you said. Furthermore, your mentioning that they probably were reminded me that I had ethereal installed on the LAN computer I wished to reach. With that, I was able to see exactly what was happening.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now