iptables nat port range centos 6.x

I can't seem to find much on this and all which I have is wrong.

How do I set up a port range forwarding to a nat'ed server using iptables?
All but the last one work.

-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.100:443
-A PREROUTING -p tcp -m tcp --dport 5060 -j DNAT --to-destination 192.168.122.100:5060
-A PREROUTING -p udp -m udp --dport 5060 -j DNAT --to-destination 192.168.122.100:5060
-A PREROUTING -p udp -m udp --dport 5080 -j DNAT --to-destination 192.168.122.100:5080
#-A PREROUTING -p udp -m udp --dport 30000:31000 -j DNAT --to-destination 192.168.122.100
projectsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
You need to add the same entries on the INPUT chain to allow the connection to be made.
Is centos setup as a router?
Usually when centos us configured as a router it has an RH-firewall chain that is present in the input/prerouting/

iptables -t filter -L --line-numbers

iptables -t nat -L --line-numbers
projectsAuthor Commented:
Centos7, running KVM. The vm is a sipexecs server which basically only does message routing.

Everything works but I don't know how to enter a range of ports for a forwarding like the other examples I show.
arnoldCommented:
You have to have similar rules
-A input -m TCP -p TCP --dport 443 --to-DESTINATION 192.168 122.100:443 -j ACCEPT
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

projectsAuthor Commented:
Not understanding your answer. This is what I already do/have for single ports. I'm asking how do I create a RANGE of ports.
arnoldCommented:
You have it in your commented example
-A INPUT -m TCP --dport starting:ending -j ACCEPT

What service do you need to spevify a port, usually only FTP requires a range of ports for the data connection. FTP server has the configuration where you can control the range of ports allocated for that purpose.

You need an entry in input chain and in the prerouting chain to get an external packet through the firewall and to the natted internal system.
arnoldCommented:
Look at fwbuilder.org for the tool to manage iptables based firewall/router.
projectsAuthor Commented:
Arnold, guessing you didn't notice but it's SIP, ports 5060/5080 and a range for udp, in this case,  30000:31000.

That rule is commented because that's my question, trying to find out how to set that rule for a range of ports.
arnoldCommented:
I looked at your example, 5060 and 5080 were listed individually.  You had the range reference example  commented out.
-m udp -p udp --dport 5060:5080 in prerouting with -DNAT AND -j ACCEPT IN INPUT.
projectsAuthor Commented:
The ports 5060 and 5080 are individual, not a range. The commented out line is the range which doesn't work and that is my question, asking how I can enter that range.
arnoldCommented:
Are you getting an error on the 30000:31000 with the ip as the destinations?
projectsAuthor Commented:
No, because it's not a valid entry so iptables doesn't even start. That's why I'm looking for a solution which allows me to enter the correct format.

Centos7, iptables.
arnoldCommented:
Add the module to your line -mark multiport
-A PREROUTING -m udp -p udp  -mark multiport --dport 30000:31000 -DNAT --to-destination 192.168.122.100
Look at the iptables man pages.
projectsAuthor Commented:
PLEASE don't tell me to look at the freaking manual.
I PAY for this site because I don't want to hear that in forums!
I also cannot pretend to know everything there is to know so ask for help in areas which I am not 100% familiar with. I don't even have time to know it all.

So... that said, have you read it? :)

# journalctl -xn
-- Logs begin at Tue 2015-09-29 15:39:49 EDT, end at Thu 2015-11-05 10:56:37 EST. --
Nov 05 10:56:37 kvm.mydomain.com systemd[1]: Starting IPv4 firewall with iptables...
-- Subject: Unit iptables.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit iptables.service has begun starting up.
Nov 05 10:56:37 kvm.mydomain.com systemd[1]: Failed to reset devices.list on /machine.slice: Invalid argument
Nov 05 10:56:37 kvm.mydomain.com kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Nov 05 10:56:37 kvm.mydomain.com iptables.init[7702]: iptables: Applying firewall rules: iptables-restore v1.4.21: Couldn't load m
Nov 05 10:56:37 kvm.mydomain.com iptables.init[7702]: Error occurred at line: 33
Nov 05 10:56:37 kvm.mydomain.com iptables.init[7702]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Nov 05 10:56:37 kvm.mydomain.com iptables.init[7702]: [FAILED]
Nov 05 10:56:37 kvm.mydomain.com systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
Nov 05 10:56:37 kvm.mydomain.com systemd[1]: Failed to start IPv4 firewall with iptables.
-- Subject: Unit iptables.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit iptables.service has failed.
--
-- The result is failed.
Nov 05 10:56:37 kvm.mydomain.com systemd[1]: Unit iptables.service entered failed state.

Open in new window

arnoldCommented:
Post
Iptables -t filter -L --line-numbers
Iptables -t nat -L --line-numbers

While iptables are running,
Iptables -A PREROUTING -m udp -p udp --mark multiport --dports 30000:31000 -j DNAT --to-destination 192.168.122.100
What happens?

There are tools such as fwbuilder.sourceforge.net ...
Centos 7 has two options iptables or firewalld for the firewall.
projectsAuthor Commented:
Yes, in this case, I need to use iptables on this server. I prefer not using a tool to manage iptables. Everything works fine other than my needing to find out how to solve this range addition problem.

Here are the results you wanted.

# iptables -t filter -L --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere
4    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
5    ACCEPT     tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:4888 /* SSH_Remote */
6    ACCEPT     tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:mysql /* MySQL_Remote */
7    ACCEPT     tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:ms-wbt-server /* RDP_Remote */
8    ACCEPT     tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:rfb /* VNC_Remote */
9    ACCEPT     tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:ndmp /* Webmin_Remote */
10   REJECT     all  --  xx.xx.xx.x1       anywhere             reject-with icmp-port-unreachable
11   REJECT     all  --  xx.xx.xx.x1       anywhere             reject-with icmp-port-unreachable
12   REJECT     all  --  sint.km.ua           anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain AT (0 references)
num  target     prot opt source               destination

Chain web_limit (0 references)
num  target     prot opt source               destination

---

# iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  anywhere             anywhere     tcp dpt:https to:192.168.122.100:443
2    DNAT       tcp  --  anywhere             anywhere     tcp dpt:sip to:192.168.122.100:5060
3    DNAT       udp  --  anywhere             anywhere     udp dpt:sip to:192.168.122.100:5060
4    DNAT       udp  --  anywhere             anywhere     udp dpt:onscreen to:192.168.122.100:5080
5    DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:ssh to:192.168.122.100:22
6    DNAT       tcp  --  anywhere             anywhere     tcp dpt:intermapper to:192.168.122.194:80
7    DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:4194 to:192.168.122.194:4194
8    DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:10194 to:192.168.122.194:10194
9    DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:brlp-0 to:192.168.122.101:4101
10   DNAT       tcp  --  xx-xx-xx-xx.com.ar/16  anywhere   tcp dpt:webcache to:192.168.122.102:80
11   DNAT       tcp  --  xx-xx-xx-xx.com.ar/16  anywhere   tcp dpt:tproxy to:192.168.122.102:443
12   DNAT       tcp  --  xx-xx-xx-xx.com.ar/16  anywhere   tcp dpt:brlp-1 to:192.168.122.102:4102
13   DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:webcache to:192.168.122.102:80
14   DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:tproxy to:192.168.122.102:443
15   DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:brlp-1 to:192.168.122.102:4102
16   DNAT       tcp  --  xx.xx.xx.xx  anywhere             tcp dpt:ezproxy-2 to:192.168.122.102:10102

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  192.168.122.0/24     anywhere

---

# iptables -A PREROUTING -m udp -p udp --mark multiport --dports 30000:31000 -j DNAT --to-destination 192.168.122.100
iptables v1.4.21: unknown option "--mark"
Try `iptables -h' or 'iptables --help' for more information.

Open in new window

arnoldCommented:
Try the following

Iptables -A PREROUTING -m udp -p udp -m multiport --dports 30000:31000 -j DNAT --to-destination 192.168.122.100

Try with the above replacing--dports with --dport.
projectsAuthor Commented:
# iptables -A PREROUTING -m udp -p udp -m multiport --dport 30000:31000 -j DNAT --to-destination 192.168.122.100                    iptables v1.4.21: multiport expection an option
Try `iptables -h' or 'iptables --help' for more information.
arnoldCommented:
iptables -t nat -A PREROUTING -m udp -p udp -m multiport --dports 30000:31000 -j DNAT  --to-destination 192.168.122.100

This should work.
I often prefer to use the -I <CHAIN> n instead of -A <CHAIN> .
where n is the line number where this rule should be inserted.
--line-numbers to have the output include line numbers.
-A appends the rule to the end of the list.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
projectsAuthor Commented:
Yes, that seems to work! At least iptables loads without errors so it looks like you've got it.
arnoldCommented:
Iptables is built to be dynamically updated using iptables -A
Once the operation as intended you would run the /etc/init.d/iptables save; to commit to make them permanent.
projectsAuthor Commented:
Yes, I tested from the command line first, then added it to iptables and saved it. Should be fine now.

Thanks very much for your help on this. I could not find an answer no matter how much i searched finding only the wrong commands each time.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.