We help IT Professionals succeed at work.

IPTables NAT rules rules

493 Views
Last Modified: 2013-12-10
I'm setting up iptables as a NAT router

Basically I want DNAT as follows

84.24.130.18:8001 forwarding to 192.168.0.1:3389
84.24.130.18:8002 forwarding to 192.168.0.2:3389
84.24.130.18:8002 forwarding to 192.168.0.3:3389

Also allow SSH to the box

all other inbound traffic dropped

allow outbound traffic on 80,443 ONLY, drop anything else

eth0 is WAN side 84.24.130.18 , eth1 is LAN (192.168.0.0/24)


I have enabled forwarding in the kernel

Here are my rules so far

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to-destination 192.168.0.1:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8002 -j DNAT --to-destination 192.168.0.2:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8003 -j DNAT --to-destination 192.168.0.3:3389


iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9391 -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9392 -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9394 -d 192.168.0.4 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9395 -d 192.168.0.5 -j ACCEPT


Sadly, none of it works! I am not able to get out on 80,443 and the DNAT does not work either..

What have I missed..?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Look at
 iptables -t filter -L --line-numbers
iptables -t NAT -L --line-numbers
iptables -t DNAT -L --line-numbers

You are using -A which adds the rule to the end and might.
http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html

You have to make sure that forwarding is enabled on your box.

While the above is for centos, iptables function the same under the various distros.  You may have a different front end to manage it.
Duncan RoeSoftware Developer
CERTIFIED EXPERT

Commented:
I always use this command to check iptables rules
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee iptables.txt

Open in new window

If you could run that and post iptables.txt then I or anyone else should be able to help you further
Software Developer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Many thanks Duncan - in the end the issue turned out to be a firewall that sits in front of the server network blocking connections from my workstation into the network the iptables box sits on, rather than anything with my rules (the IP of my machine had changed and we hadn't updated the rule)

I like the approach you outlined re logging and it helped me to confirm no packets from my machine were reaching the WAN interface on the box.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.