Connection forwarding with iptables

Hi there,

I would have a question related to iptables.

I would like to make a forwarding rule on my router (with iptables) to accomplish the following:
If an internet host (w.x.y.z) accesses the Internet IP of my router on a specified port (a.b.c.d:10000), the traffic should be forwarded to an Internet address on a specific port (e.f.g.h:2500).

Additional info:
The rule will be set on an asus wl500gp router with dd-wrt v24 sp1 firmware.
The Internet facing interface is ppp0.
The traffic should go through the router and the packets sent to the destination (e.f.g.h:2500) should have as source address, the Internet IP of my router (from ppp0).
If possible, I would like to be able to limit the accepted connections based on a list of known IPs.

Legend:
w.x.y.z is the IP address of the host in Internet that tries to initiate the connection
a.b.c.d is the public IP address of the router
e.f.g.h is the destination IP address to which the traffic will be forwarded.

I tried to search on this topic, but I only found articles that cover port forwarding in NAT environments and in this scenario, the forward is to Internet too. I have beginner to medium knowledge of linux OS.

Do you know how this can be accomplished?

Please let me know if you need more information from my side.
Thank you in advance!
LVL 10
uid94130Asked:
Who is Participating?
 
The--CaptainCommented:
Ahhh - I see.  Here are the proper commands, given that w.x.y.z initiates a connection to a.b.c.d on port 10000, but needs in reality to communicate with e.f.g.h on port 2500 (I'm assuming tcp - change to udp if that's what you need)

iptables -t nat -A PREROUTING -p tcp -- dport 10000 -s w.x.y.z -d a.b.c.d -j DNAT --to-destination e.f.g.h:2500
iptables -t nat -A POSTROUTING -p tcp --dport 2500 -s w.x.y.z -d e.f.g.h -j SNAT --to-source a.b.c.d

Notice I'm not adjusting (or even matching on) the source port.  It is unnecessary here, and should only be specified if it is completely necessary to satisfy some obscure element of an esoteric configuration.

Cheers,
-Jon

0
 
The--CaptainCommented:
"but I only found articles that cover port forwarding in NAT"

That is because NAT is absolutely required for this to work.

You will need a DNAT rule to actually forward the connection, and an SNAT rule to adjust the source so that the client is not confused by the replies.

The principles are explained in an article I recently wrote.

http://www.experts-exchange.com/articles/Networking/Misc/Perhaps-the-most-common-NAT-problem-AKA-why-can%27t-I-reach-my-server-on-its-external-IP-from-an-internal-IP.html

The only difference is your client and server are on the other side of the router.  The solution is identical.

Cheers,
-Jon
0
 
uid94130Author Commented:
Hi Jon,

Thank you for the feedback! But, please consider that I am a newbie on Linux OS. ;)

Should it look somehow like this?

iptables -t nat -A PREROUTING -i ppp0 -o ppp0 -p tcp -s w.x.y.z SNAT --to-source a.b.c.d:10000 -j DNAT --to-destination e.f.g.h:2500
Please guide me to the right path.

Thank you in advance!
Olivian
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
The--CaptainCommented:
No.  DNAT is PREROUTING, SNAT is POSTROUTING, and you can't combine them into a single statement like that.  However, the solution is still not that bad:

iptables -t nat -A PREROUTING -s w.x.y.z -d a.b.c.d -j DNAT --to-destination e.f.g.h
iptables -t nat -A POSTROUTING -s w.x.y.z -d e.f.g.h -j SNAT --to-source a.b.c.d

You can add destination port specifiers if you like, but I wouldn't add source port specifiers unless you really know what you're doing, and you should have a "--dport <portnum>" specifier if you are going to use a port specifier in your "--to-destination" argument.

Cheers,
-Jon
0
 
uid94130Author Commented:
So, to do the following:
w.x.y.z  -> a.b.c.d:10000 -> e.f.g.h:2500

I could write something like this?
iptables -t nat -A PREROUTING -s w.x.y.z -d a.b.c.d -j DNAT --to-destination e.f.g.h --dport 2500
iptables -t nat -A POSTROUTING -s w.x.y.z -d e.f.g.h -j SNAT --to-source a.b.c.d --sport 10000

I write this, because only a connection to port 10000 should be forwarded. Other connections (like 443, 80 and so on) should be handled normally.
I fear that the command I just wrote would make all the connections from w.x.y.z to be routed to port 10000. Or?

Thank you for your patience! :)
0
 
The--CaptainCommented:
That doesn't look quite right (again, you're trying to adjust source ports, which I don't think is what you want) - Also, can you tell me what relation port 2500 has to all this?

Cheers,
-Jon
0
 
The--CaptainCommented:
Nevermind - I spoke too quickly about the source ports.  That looks OK except for maybe the position of the arguments.  I still wonder about port 2500...
0
 
uid94130Author Commented:
The internet host (w.x.y.z) will try to access the address a.b.c.d:10000
a.b.c.d is the router (asus wl500gp with dd-wrt v24 sp1)

The router should translate the connection and forward the connection to a different host in Internet e.f.g.h:2500

The end result will be that w.x.y.z will access e.f.g.h:2500, but he opens the connection to a.b.c.d:10000.
0
 
uid94130Author Commented:
I tried the 2 commands, but it returned "segmentation fault" on both commands...
Could it be something wrong on the version of iptables that I have?
iptables -V
iptables v1.3.7


0
 
The--CaptainCommented:
Sounds like a WRT problem now, and unfortunately I would have no idea how to fix that other than to possibly try a different WRT image (or ask someone who deals with WRTs on a regular basis).

Cheers,
-Jon
0
 
uid94130Author Commented:
I could not test the commands on the router, but it's most likely that on a different iptables version would do the job.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.