• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1904
  • Last Modified:

iptables port forwarding DNAT is not working on

I face a problem that I could not succeed to configure port forwarding on linx box. When I use iptables -L to list the configuration I see only default policy which is "ACCEPT" and I could not see configuration for DNAT i.e. port forwardning that I added. After I added using below command:

[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081

then I use "iptables -L' I see nothing changed

Could you help configure out and check my configuration?
[root@gwserver log]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:1E:0B:62:11:4E  
          inet addr:10.13.1.17  Bcast:10.13.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:bff:fe62:114e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2114764278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2188537282 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2724035159 (2.5 GiB)  TX bytes:3419229934 (3.1 GiB)
          Interrupt:185 Memory:f8000000-f8012100 
 
eth1      Link encap:Ethernet  HWaddr 00:1E:0B:62:11:48  
          inet addr:192.168.105.220  Bcast:192.168.105.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:bff:fe62:1148/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2462218706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1824303729 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1682170666 (1.5 GiB)  TX bytes:3807574811 (3.5 GiB)
          Interrupt:82 Memory:fa000000-fa012100 
 
[root@gwserver log]# chkconfig --list | grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
 
[root@gwserver log]# uname -r
2.6.18-53.el5PAE
 
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@gwserver log]#

Open in new window

0
tballah
Asked:
tballah
  • 4
  • 4
1 Solution
 
BlazCommented:
try:
iptables -t nat -L

you could add -v -x to get some more info:
iptables -t nat -L -v -x
0
 
tballahAuthor Commented:
This is the output of command "iptables -t nat -L -v -x"

[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 164193 packets, 17192697 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       4      208 DNAT       tcp  --  any    any     anywhere             10.13.1.17          tcp dpt:tproxy to:192.168.107.50:8081

Chain POSTROUTING (policy ACCEPT 31302 packets, 1881381 bytes)
    pkts      bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 31302 packets, 1881381 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
[root@gwserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

I try to telnet to 10.13.1.17 with port 8081 "telnet 10.13.1.17 8081" then I use "iptables -t nat -L -v -x" I can see some packets reached this linux box but I still cannot succeed:

C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...Could not open connection to the host, on port 8081:
Connect failed

From linux box I can successfully telnet to the port 8081

[root@gwserver ~]# telnet 192.168.107.50 8081
Trying 192.168.107.50...
Connected to 192.168.107.50 (192.168.107.50).
Escape character is '^]'.

What else should I configure to enable me to successfully telnet to 10.13.1.17  with port 8081?
0
 
BlazCommented:
Try to add:
iptables -t nat -A POSTROUTING -j MASQUERADE
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
tballahAuthor Commented:
[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 165349 packets, 17315830 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       4      208 DNAT       tcp  --  any    any     anywhere             10.13.1.17          tcp dpt:tproxy to:192.168.107.50:8081

Chain POSTROUTING (policy ACCEPT 31492 packets, 1892816 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       6      369 MASQUERADE  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 31498 packets, 1893185 bytes)
    pkts      bytes target     prot opt in     out     source               destination    

After I telnet and I get the result as follows:

C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...
0
 
BlazCommented:
do you allow ip forwarding?
cat /proc/sys/net/ipv4/ip_forward

If the result is 0 write:
echo 1 > /proc/sys/net/ipv4/ip_forward
0
 
tballahAuthor Commented:
Hello Blaz:

Thank you for your fast response. I'm now home and I'll update you tomorrow when I work with that linux box.
0
 
tballahAuthor Commented:
Dear Blaz:

After I enable ip forwarding by issuing this command:
echo 1 > /proc/sys/net/ipv4/ip_forward

Now everything is fine. Thanks
0
 
BlazCommented:
Note that you have to run this command on every reboot. That is you can/should add it to /etc/rc.local script

0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now