We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

iptables port forwarding DNAT is not working on

tballah
tballah asked
on
Medium Priority
1,981 Views
Last Modified: 2013-11-16
I face a problem that I could not succeed to configure port forwarding on linx box. When I use iptables -L to list the configuration I see only default policy which is "ACCEPT" and I could not see configuration for DNAT i.e. port forwardning that I added. After I added using below command:

[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081

then I use "iptables -L' I see nothing changed

Could you help configure out and check my configuration?
[root@gwserver log]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:1E:0B:62:11:4E  
          inet addr:10.13.1.17  Bcast:10.13.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:bff:fe62:114e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2114764278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2188537282 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2724035159 (2.5 GiB)  TX bytes:3419229934 (3.1 GiB)
          Interrupt:185 Memory:f8000000-f8012100 
 
eth1      Link encap:Ethernet  HWaddr 00:1E:0B:62:11:48  
          inet addr:192.168.105.220  Bcast:192.168.105.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:bff:fe62:1148/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2462218706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1824303729 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1682170666 (1.5 GiB)  TX bytes:3807574811 (3.5 GiB)
          Interrupt:82 Memory:fa000000-fa012100 
 
[root@gwserver log]# chkconfig --list | grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
 
[root@gwserver log]# uname -r
2.6.18-53.el5PAE
 
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
[root@gwserver log]# /sbin/iptables -t nat -F
[root@gwserver log]# /sbin/iptables -t nat -A PREROUTING -p tcp -d 10.13.1.17 --dport 8081 -j DNAT --to-destination 192.168.107.50:8081
[root@gwserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@gwserver log]#

Open in new window

Comment
Watch Question

Commented:
try:
iptables -t nat -L

you could add -v -x to get some more info:
iptables -t nat -L -v -x

Author

Commented:
This is the output of command "iptables -t nat -L -v -x"

[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 164193 packets, 17192697 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       4      208 DNAT       tcp  --  any    any     anywhere             10.13.1.17          tcp dpt:tproxy to:192.168.107.50:8081

Chain POSTROUTING (policy ACCEPT 31302 packets, 1881381 bytes)
    pkts      bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 31302 packets, 1881381 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
[root@gwserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

I try to telnet to 10.13.1.17 with port 8081 "telnet 10.13.1.17 8081" then I use "iptables -t nat -L -v -x" I can see some packets reached this linux box but I still cannot succeed:

C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...Could not open connection to the host, on port 8081:
Connect failed

From linux box I can successfully telnet to the port 8081

[root@gwserver ~]# telnet 192.168.107.50 8081
Trying 192.168.107.50...
Connected to 192.168.107.50 (192.168.107.50).
Escape character is '^]'.

What else should I configure to enable me to successfully telnet to 10.13.1.17  with port 8081?

Commented:
Try to add:
iptables -t nat -A POSTROUTING -j MASQUERADE

Author

Commented:
[root@gwserver ~]# iptables -t nat -L -v -x
Chain PREROUTING (policy ACCEPT 165349 packets, 17315830 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       4      208 DNAT       tcp  --  any    any     anywhere             10.13.1.17          tcp dpt:tproxy to:192.168.107.50:8081

Chain POSTROUTING (policy ACCEPT 31492 packets, 1892816 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       6      369 MASQUERADE  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 31498 packets, 1893185 bytes)
    pkts      bytes target     prot opt in     out     source               destination    

After I telnet and I get the result as follows:

C:\Documents and Settings\ballah>telnet 10.13.1.17 8081
Connecting To 10.13.1.17...
Commented:
do you allow ip forwarding?
cat /proc/sys/net/ipv4/ip_forward

If the result is 0 write:
echo 1 > /proc/sys/net/ipv4/ip_forward

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Hello Blaz:

Thank you for your fast response. I'm now home and I'll update you tomorrow when I work with that linux box.

Author

Commented:
Dear Blaz:

After I enable ip forwarding by issuing this command:
echo 1 > /proc/sys/net/ipv4/ip_forward

Now everything is fine. Thanks

Commented:
Note that you have to run this command on every reboot. That is you can/should add it to /etc/rc.local script

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.