Rewriting target IP and port on Linux with iptables or firewall-cmd

Rewriting target IP and port on Linux with iptables or firewall-cmd

[Alex Barylo]

I have a server in a DC1 with a private IP, of say 10.10.10.10. This
IP is NAT'd to a public IP, say 216.58.219.10 in this way:

216.58.219.10:8090 -> 10.10.10.10:8089

I have a server in DC2 which knows about (and wants to connect to)
10.10.10.10:8089 but doesn't know about 216.58.219.10:8090 (long
story).

So I want to rewrite dest IP/port from 10.10.10.10:8089 to 216.58.219.10:8090.

This is what I tried:

# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --dest 10.10.10.10 --dport 8089
-j DNAT --to 216.58.219.10:8090

...and it gives me this:

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             10.10.10.10       tcp
dpt:8089 to:216.58.219.10:8090

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

... and it doesn't work.

I see neither traffic to 10.x or to 216.x with tcpdump on the host in
DC2 where I'm trying to rewrite.

A side question: is there a way for me to see how traffic moves
between/through chains?

Any pointers are greatly appreciated.

Thanks,
Alex.

Re: Rewriting target IP and port on Linux with iptables or firewall-cmd

[Harout Hedeshian]

On 03/04/2016 12:45 PM, Alex Barylo wrote:
> I see neither traffic to 10.x or to 216.x with tcpdump on the host in
> DC2 where I'm trying to rewrite.
Just to check the obvious, have you checked your FORWARD chain in the 
filter table to make sure you are not accidentally dropping it?
> A side question: is there a way for me to see how traffic moves
> between/through chains?
Yes. Take a look at the iptables trace target (there are a handful of 
tutorials out there).
Also, I would also suggest dumping iptables with the -v option, it will 
give you a match count of your rules. That way you can see if it is even 
matching at all.
> Any pointers are greatly appreciated.
>
> Thanks,
> Alex.
>
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Rewriting target IP and port on Linux with iptables or firewall-cmd

[Sven-Haegar Koch]

On Fri, 4 Mar 2016, Alex Barylo wrote:

> I have a server in a DC1 with a private IP, of say 10.10.10.10. This
> IP is NAT'd to a public IP, say 216.58.219.10 in this way:
> 
> 216.58.219.10:8090 -> 10.10.10.10:8089
> 
> I have a server in DC2 which knows about (and wants to connect to)
> 10.10.10.10:8089 but doesn't know about 216.58.219.10:8090 (long
> story).
> 
> So I want to rewrite dest IP/port from 10.10.10.10:8089 to 216.58.219.10:8090.
> 
> This is what I tried:
> 
> # sysctl net.ipv4.ip_forward=1
> # iptables -t nat -A PREROUTING -p tcp --dest 10.10.10.10 --dport 8089
> -j DNAT --to 216.58.219.10:8090

> Any pointers are greatly appreciated.

Try adding the same rule also to the nat OUTPUT chain.

iptables -t nat -A OUTPUT -p tcp --dest 10.10.10.10 --dport 8089 -j 
DNAT --to 216.58.219.10:8090

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

Re: Rewriting target IP and port on Linux with iptables or firewall-cmd

[Pascal Hambourg]

> On Fri, 4 Mar 2016, Alex Barylo wrote:
> 
>> I have a server in a DC1 with a private IP, of say 10.10.10.10. This
>> IP is NAT'd to a public IP, say 216.58.219.10 in this way:
>>
>> 216.58.219.10:8090 -> 10.10.10.10:8089
>>
>> I have a server in DC2 which knows about (and wants to connect to)
>> 10.10.10.10:8089 but doesn't know about 216.58.219.10:8090 (long
>> story).
>>
>> So I want to rewrite dest IP/port from 10.10.10.10:8089 to 216.58.219.10:8090.
>>
>> This is what I tried:
>>
>> # sysctl net.ipv4.ip_forward=1
>> # iptables -t nat -A PREROUTING -p tcp --dest 10.10.10.10 --dport 8089
>> -j DNAT --to 216.58.219.10:8090

And what happened ?
On which machine did you run these commands ?
If it is on a machine acting as a gateway between the server in DC2 and
the server in DC1, then you are correct. If it is on the server in DC2,
then the sysctl is useless and the iptables rule should be added to the
OUTPUT chain (for locally-generated traffic) instead of PREROUTING (for
incoming traffic).

Sven-Haegar Koch a écrit :
> Try adding the same rule also to the nat OUTPUT chain.

Why "also" ? Rather "instead". Both rules on the same machine are useless.

Re: Rewriting target IP and port on Linux with iptables or firewall-cmd

[Alex Barylo]

On Fri, Mar 4, 2016 at 4:32 PM, Sven-Haegar Koch <haegar@sdinet.de> wrote:
> On Fri, 4 Mar 2016, Alex Barylo wrote:
>
>> I have a server in a DC1 with a private IP, of say 10.10.10.10. This
>> IP is NAT'd to a public IP, say 216.58.219.10 in this way:
>>
>> 216.58.219.10:8090 -> 10.10.10.10:8089
>>
>> I have a server in DC2 which knows about (and wants to connect to)
>> 10.10.10.10:8089 but doesn't know about 216.58.219.10:8090 (long
>> story).
>>
>> So I want to rewrite dest IP/port from 10.10.10.10:8089 to 216.58.219.10:8090.
>>
>> This is what I tried:
>>
>> # sysctl net.ipv4.ip_forward=1
>> # iptables -t nat -A PREROUTING -p tcp --dest 10.10.10.10 --dport 8089
>> -j DNAT --to 216.58.219.10:8090
>
>> Any pointers are greatly appreciated.
>
> Try adding the same rule also to the nat OUTPUT chain.
>
> iptables -t nat -A OUTPUT -p tcp --dest 10.10.10.10 --dport 8089 -j
> DNAT --to 216.58.219.10:8090
>

Excellent (winning!) idea, Sven-Haegar - thank you! I did try adding
to OUTPUT instead of PREROUTING before I posted here and it didn't
work. But when I added to both - voila!

Here is the script, in case you need to add more than one port and you
hate repeating (almost) the same line.

#!/bin/bash

PATH=/bin:/usr/bin:/user/local/bin:/sbin:/usr/sbin:/usr/local/sbin

REMOTE_PUB_IP=<your_public_ip_here>
REMOTE_PUB_PORT=(8089 8090 8091)

REMOTE_PRV_IP=(your_private_ips_here, separated by space)
REMOTE_PRV_PORT=(8089 8089 8089)


run_cmd () {
    if [[ -z "$DEBUG" ]]; then
        $*
    else
        echo $*
    fi
}


# Enable IP forwarding
sysctl net.ipv4.ip_forward=1

# Flush all NAT rules
iptables -t nat -F

(( max_index = ${#REMOTE_PUB_PORT[*]} - 1 ))
for i in $( seq 0 $max_index ); do
    run_cmd "iptables -t nat -A PREROUTING -p tcp --dest
${REMOTE_PRV_IP[i]} --dport ${REMOTE_PRV_PORT[i]} -j DNAT --to
${REMOTE_PUB_IP}:${REMOTE_PUB_PORT[i]}"
    run_cmd "iptables -t nat -A OUTPUT     -p tcp --dest
${REMOTE_PRV_IP[i]} --dport ${REMOTE_PRV_PORT[i]} -j DNAT --to
${REMOTE_PUB_IP}:${REMOTE_PUB_PORT[i]}"
done