Connection forwarding with iptables

Hi there,

I would have a question related to iptables.

I would like to make a forwarding rule on my router (with iptables) to accomplish the following:
If an internet host (w.x.y.z) accesses the Internet IP of my router on a specified port (a.b.c.d:10000), the traffic should be forwarded to an Internet address on a specific port (e.f.g.h:2500).

Additional info:
The rule will be set on an asus wl500gp router with dd-wrt v24 sp1 firmware.
The Internet facing interface is ppp0.
The traffic should go through the router and the packets sent to the destination (e.f.g.h:2500) should have as source address, the Internet IP of my router (from ppp0).
If possible, I would like to be able to limit the accepted connections based on a list of known IPs.

Legend:
w.x.y.z is the IP address of the host in Internet that tries to initiate the connection
a.b.c.d is the public IP address of the router
e.f.g.h is the destination IP address to which the traffic will be forwarded.

I tried to search on this topic, but I only found articles that cover port forwarding in NAT environments and in this scenario, the forward is to Internet too. I have beginner to medium knowledge of linux OS.

Do you know how this can be accomplished?

Please let me know if you need more information from my side.
Thank you in advance!
LVL 10
uid94130Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The--CaptainCommented:
"but I only found articles that cover port forwarding in NAT"

That is because NAT is absolutely required for this to work.

You will need a DNAT rule to actually forward the connection, and an SNAT rule to adjust the source so that the client is not confused by the replies.

The principles are explained in an article I recently wrote.

http://www.experts-exchange.com/articles/Networking/Misc/Perhaps-the-most-common-NAT-problem-AKA-why-can%27t-I-reach-my-server-on-its-external-IP-from-an-internal-IP.html

The only difference is your client and server are on the other side of the router.  The solution is identical.

Cheers,
-Jon
0
uid94130Author Commented:
Hi Jon,

Thank you for the feedback! But, please consider that I am a newbie on Linux OS. ;)

Should it look somehow like this?

iptables -t nat -A PREROUTING -i ppp0 -o ppp0 -p tcp -s w.x.y.z SNAT --to-source a.b.c.d:10000 -j DNAT --to-destination e.f.g.h:2500
Please guide me to the right path.

Thank you in advance!
Olivian
0
The--CaptainCommented:
No.  DNAT is PREROUTING, SNAT is POSTROUTING, and you can't combine them into a single statement like that.  However, the solution is still not that bad:

iptables -t nat -A PREROUTING -s w.x.y.z -d a.b.c.d -j DNAT --to-destination e.f.g.h
iptables -t nat -A POSTROUTING -s w.x.y.z -d e.f.g.h -j SNAT --to-source a.b.c.d

You can add destination port specifiers if you like, but I wouldn't add source port specifiers unless you really know what you're doing, and you should have a "--dport <portnum>" specifier if you are going to use a port specifier in your "--to-destination" argument.

Cheers,
-Jon
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

uid94130Author Commented:
So, to do the following:
w.x.y.z  -> a.b.c.d:10000 -> e.f.g.h:2500

I could write something like this?
iptables -t nat -A PREROUTING -s w.x.y.z -d a.b.c.d -j DNAT --to-destination e.f.g.h --dport 2500
iptables -t nat -A POSTROUTING -s w.x.y.z -d e.f.g.h -j SNAT --to-source a.b.c.d --sport 10000

I write this, because only a connection to port 10000 should be forwarded. Other connections (like 443, 80 and so on) should be handled normally.
I fear that the command I just wrote would make all the connections from w.x.y.z to be routed to port 10000. Or?

Thank you for your patience! :)
0
The--CaptainCommented:
That doesn't look quite right (again, you're trying to adjust source ports, which I don't think is what you want) - Also, can you tell me what relation port 2500 has to all this?

Cheers,
-Jon
0
The--CaptainCommented:
Nevermind - I spoke too quickly about the source ports.  That looks OK except for maybe the position of the arguments.  I still wonder about port 2500...
0
uid94130Author Commented:
The internet host (w.x.y.z) will try to access the address a.b.c.d:10000
a.b.c.d is the router (asus wl500gp with dd-wrt v24 sp1)

The router should translate the connection and forward the connection to a different host in Internet e.f.g.h:2500

The end result will be that w.x.y.z will access e.f.g.h:2500, but he opens the connection to a.b.c.d:10000.
0
The--CaptainCommented:
Ahhh - I see.  Here are the proper commands, given that w.x.y.z initiates a connection to a.b.c.d on port 10000, but needs in reality to communicate with e.f.g.h on port 2500 (I'm assuming tcp - change to udp if that's what you need)

iptables -t nat -A PREROUTING -p tcp -- dport 10000 -s w.x.y.z -d a.b.c.d -j DNAT --to-destination e.f.g.h:2500
iptables -t nat -A POSTROUTING -p tcp --dport 2500 -s w.x.y.z -d e.f.g.h -j SNAT --to-source a.b.c.d

Notice I'm not adjusting (or even matching on) the source port.  It is unnecessary here, and should only be specified if it is completely necessary to satisfy some obscure element of an esoteric configuration.

Cheers,
-Jon

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
uid94130Author Commented:
I tried the 2 commands, but it returned "segmentation fault" on both commands...
Could it be something wrong on the version of iptables that I have?
iptables -V
iptables v1.3.7


0
The--CaptainCommented:
Sounds like a WRT problem now, and unfortunately I would have no idea how to fix that other than to possibly try a different WRT image (or ask someone who deals with WRTs on a regular basis).

Cheers,
-Jon
0
uid94130Author Commented:
I could not test the commands on the router, but it's most likely that on a different iptables version would do the job.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.