iptables port forwarding DNAT is not working on

I face a problem that I could not succeed to configure port forwarding on linx box. When I use iptables -L to list the configuration I see only default policy which is "ACCEPT" and I could not see configuration for DNAT i.e. port forwardning that I added. After I added using below command:

[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081

then I use "iptables -L' I see nothing changed

Could you help configure out and check my configuration?
[root@gwserver log]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:1E:0B:62:11:4E  
          inet addr:10.13.1.17  Bcast:10.13.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:bff:fe62:114e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2114764278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2188537282 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2724035159 (2.5 GiB)  TX bytes:3419229934 (3.1 GiB)
          Interrupt:185 Memory:f8000000-f8012100 
 
eth1      Link encap:Ethernet  HWaddr 00:1E:0B:62:11:48  
          inet addr:192.168.105.220  Bcast:192.168.105.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:bff:fe62:1148/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2462218706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1824303729 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1682170666 (1.5 GiB)  TX bytes:3807574811 (3.5 GiB)
          Interrupt:82 Memory:fa000000-fa012100 
 
[root@gwserver log]# chkconfig --list | grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
 
[root@gwserver log]# uname -r
2.6.18-53.el5PAE
 
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@gwserver log]#

Open in new window

LVL 1
tballahAsked:
Who is Participating?
 
BlazConnect With a Mentor Commented:
do you allow ip forwarding?
cat /proc/sys/net/ipv4/ip_forward

If the result is 0 write:
echo 1 > /proc/sys/net/ipv4/ip_forward
0
 
BlazCommented:
try:
iptables -t nat -L

you could add -v -x to get some more info:
iptables -t nat -L -v -x
0
 
tballahAuthor Commented:
This is the output of command "iptables -t nat -L -v -x"

[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 164193 packets, 17192697 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       4      208 DNAT       tcp  --  any    any     anywhere             10.13.1.17          tcp dpt:tproxy to:192.168.107.50:8081

Chain POSTROUTING (policy ACCEPT 31302 packets, 1881381 bytes)
    pkts      bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 31302 packets, 1881381 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
[root@gwserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

I try to telnet to 10.13.1.17 with port 8081 "telnet 10.13.1.17 8081" then I use "iptables -t nat -L -v -x" I can see some packets reached this linux box but I still cannot succeed:

C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...Could not open connection to the host, on port 8081:
Connect failed

From linux box I can successfully telnet to the port 8081

[root@gwserver ~]# telnet 192.168.107.50 8081
Trying 192.168.107.50...
Connected to 192.168.107.50 (192.168.107.50).
Escape character is '^]'.

What else should I configure to enable me to successfully telnet to 10.13.1.17  with port 8081?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
BlazCommented:
Try to add:
iptables -t nat -A POSTROUTING -j MASQUERADE
0
 
tballahAuthor Commented:
[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 165349 packets, 17315830 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       4      208 DNAT       tcp  --  any    any     anywhere             10.13.1.17          tcp dpt:tproxy to:192.168.107.50:8081

Chain POSTROUTING (policy ACCEPT 31492 packets, 1892816 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       6      369 MASQUERADE  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 31498 packets, 1893185 bytes)
    pkts      bytes target     prot opt in     out     source               destination    

After I telnet and I get the result as follows:

C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...
0
 
tballahAuthor Commented:
Hello Blaz:

Thank you for your fast response. I'm now home and I'll update you tomorrow when I work with that linux box.
0
 
tballahAuthor Commented:
Dear Blaz:

After I enable ip forwarding by issuing this command:
echo 1 > /proc/sys/net/ipv4/ip_forward

Now everything is fine. Thanks
0
 
BlazCommented:
Note that you have to run this command on every reboot. That is you can/should add it to /etc/rc.local script

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.