Re: Port forwarding with iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martijn Lievaart <m@rtij.nl>
To: "KUCKAERTZ Régis - NVISION" <regis@nvision.lu>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: Port forwarding with iptables
Date: Thu, 02 Sep 2004 09:24:07 +0200	[thread overview]
Message-ID: <4136CA97.5010901@rtij.nl> (raw)

KUCKAERTZ Régis - NVISION wrote:

>Hello,
>
>Our ISP only allows connections coming from a well-defined list of IP
>addresses. Since we must be able to log on to our servers no matter where we
>are, I just thought using iptables on one host having one of the authorized
>IP addresses would be the solution.
>
>So I went on reading iptables docs and howtos, but as you might guess I
>couldn't stand how to do it exactly. Let's put it correctly stated: every
>incoming connection to, say, port 3999 of my host ($HOST_IP) should be
>forwarded to port 123 of the protected server ($SERVER_IP). I tried the
>following two rules:
>
>$IPTABLES -t nat -A PREROUTING -p tcp --dst $HOST_IP --dport 3999 -j DNAT
>--to-destination $SERVER_IP:123
>
>   This one should do the forwarding
>
>

This one looks fine.

>$IPTABLES -t nat -a POSTROUTING -p tcp --dst $SERVER_IP --dport 123 -j
>MASQUERADE
>
>   ... and this one should masquerade
>
>

That looks non sensical, what are you trying to accomplish? Drop this
line of thought. MASQUERADE is for when you connect through a
dynamically assigned IP address, e.g. dial-up.

What you need is a rule in FORWARD to allow the packets to pass.
Assuming you accept ESTABLISHED (and RELATED) packets somewhere, so the
replies are handled automagically, you just need to add a rule like

# by now the packet has been updated with a new destination, allow it in.

$IPTABLES -A FORWARD -p tcp --dst $SERVER_IP --dport 123 -j ACCEPT

BTW, these kind of questions are better directed to the user list, not the development list.

Cheers,
M4

next             reply	other threads:[~2004-09-02  7:24 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-02  7:24 Martijn Lievaart [this message]
     [not found] <200409020414.i824Eh7e032212@xanadu.marasystems.com>
2004-09-02  8:28 ` Port forwarding with iptables Henrik Nordstrom
  -- strict thread matches above, loose matches on Subject: below --
2004-09-01 15:47 KUCKAERTZ Régis - NVISION
2004-08-19 11:13 Port Forwarding " Jason Opperisano
2004-08-19 10:57 Wilson Mak
2004-08-19 11:15 ` George Alexandru Dragoi
2004-08-19 11:22 ` Nick Drage
2004-08-20 10:06   ` Wilson Mak
2004-08-20 10:15     ` Nick Drage
2004-08-23  3:04       ` Wilson Mak
2004-08-19 16:39 ` Alejandro Flores

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4136CA97.5010901@rtij.nl \
    --to=m@rtij.nl \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=regis@nvision.lu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.