http://serverfault.com/questions/631462/port-forwarding-with-iptables-connection-refused
http://www.systutorials.com/816/port-forwarding-using-iptables/
http://jensd.be/343/linux/forward-a-tcp-port-to-another-ip-or-port-using-nat-with-iptables
When a packet passes through Iptables, it passes a set of chains. Decisions made by those chains are called rules and that’s basically how you configure Iptables.
Overview of the chains used by Iptables
For our setup to work, we need to add a DNAT and SNAT rule (Prerouting and Postrouting). The first one will make sure that the packet gets routed to the other host (ip: 10.2.2.2) and the second one will make sure that the source address of the packet is no longer the original one but the one of the machine who performed the NAT. That way, the packet will be sent back to it’s original source via the host which owns ip 10.1.1.1.
iptables -t nat -F
iptables -t nat -A POSTROUTING -p tcp -d 192.168.202.105 --dport 80 -j SNAT --to-source 192.168.202.103
iptables -t nat -L -n
ip -4 addr show scope global
iptables -S
iptables -L INPUT -v
Linux iptables Pocket Reference
The configuration works as is but not for local requests. So if some other host in the network (e.g. from 10.42.42.15) tries to connect, everything should work as expected.
For connections from localhost I found http://unix.stackexchange.com/a/113651
Just add:
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 10.42.42.152 -j DNAT --to-destination 173.194.113.104:80
When a packet passes through Iptables, it passes a set of chains. Decisions made by those chains are called rules and that’s basically how you configure Iptables.
Overview of the chains used by Iptables
For our setup to work, we need to add a DNAT and SNAT rule (Prerouting and Postrouting). The first one will make sure that the packet gets routed to the other host (ip: 10.2.2.2) and the second one will make sure that the source address of the packet is no longer the original one but the one of the machine who performed the NAT. That way, the packet will be sent back to it’s original source via the host which owns ip 10.1.1.1.
To check if IP forwarding is enabled:
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
To activate the changes immediately:
sysctl -p
The next thing to do is to check if Iptables is running on the system. Iptables is running as a kernel module so it can’t be seen as one of the normal processes.
lsmod|grep iptable
If there is no output, it means that Iptables isn’t loaded.
iptables -t nat -L -n
iptables -t nat -F
Now, to forward port 9999 on host 192.168.202.103 to port 80 on host 192.168.202.105, we need to add the following rules to the iptables configuration of host 192.168.202.103:
iptables -t nat -A PREROUTING -p tcp --dport 9999 -j DNAT --to-destination 192.168.202.105:80iptables -t nat -A POSTROUTING -p tcp -d 192.168.202.105 --dport 80 -j SNAT --to-source 192.168.202.103
iptables -t nat -L -n
To permanently save the rules, execute iptables-save
https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptablesip -4 addr show scope global
The highlighted output above shows two interfaces (
eth0
and eth1
) and the addresses assigned to each (192.51.100.45
and 192.168.1.5
respectively). To find out which of these interfaces is your public interface, type:
- ip route show | grep default
We want to configure our firewall so that traffic flowing into our public interface (
eth0
) on port 80 will be forwarded to our private interface (eth1
).
iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
This will let the first packet, meant to establish a connection, through the firewall. We also need to allow any subsequent traffic in both directions that results from that connection. To allow
ESTABLISHED
and RLEATED
traffic between our public and private interfaces, type:
- iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
We can double check that our policy on the
FORWARD
chain is set to DROP
by typing:
- sudo iptables -P FORWARD DROP
https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rulesiptables -S
If you want to limit the output to a specific chain (
INPUT
, OUTPUT
, TCP
, etc.), you can specify the chain name directly after the -S
option. For example, to show all of the rule specifications in the TCP
chain, you would run this command:
- sudo iptables -S TCP
To output all of the active iptables rules in a table, run the
iptables
command with the -L
option:
- sudo iptables -L
iptables -L INPUTiptables -L INPUT -v
Flush All Chains
To flush all chains, which will delete all of the firewall rules, you may use the
-F
, or the equivalent --flush
, option by itself:
- sudo iptables -F
http://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.htmlLinux iptables Pocket Reference
Netfilter, and iptables is the command used to configure it.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080
-t nat
Operate on the nat table...
-A PREROUTING
... by appending the following rule to its PREROUTING chain.
-i eth1
Match packets coming in on the eth1 network interface...
-p tcp
... that use the tcp (TCP/IP) protocol
--dport 80
... and are intended for local port 80.
-j DNAT
Jump to the DNAT target...
--to-destination 192.168.1.3:8080
... and change the destination address to 192.168.1.3 and destination port to 8080.
iptables defines five "hook points" in the kernel's packet processing pathways: PREROUTING, INPUT, FORWARD, POSTROUTING and OUTPUT.
FORWARD
... that flow through a gateway computer, coming in one interface and going right back out another.
INPUT
... just before they are delivered to a local process.
OUTPUT
... just after they are generated by a local process.
POSTROUTING
... just before they leave a network interface.
PREROUTING
... just as they arrive from a network interface (after dropping any packets resulting from the interface being in promiscuous mode and after checksum validation).
iptables comes with three built-in tables: filter, mangle, and nat. Each is preconfigured with chains corresponding to one or more of the hook points. The default table is the filter table;
nat
Used with connection tracking to redirect connections for network address translation; typically based on source or destination addresses. Its built-in chains are: OUTPUT, POSTROUTING, and PREROUTING.
filter
Used to set policies for the type of traffic allowed into, through, and out of the computer. Unless you refer to a different table explicitly, iptables operate on chains within this table by default. Its built-in chains are: FORWARD, INPUT, and OUTPUT.
/etc/sysconfig/iptables
chkconfig --list iptables
You can enable iptables for runlevels 3, 4, and 5 by running the command:
chkconfig --levels 345 iptables on
service iptables start
service iptables stop
iptables -L -v
Source NAT (SNAT) is used to share a single Internet connection among computers on a network. The computer attached to the Internet acts as a gateway and uses SNAT (along with connection tracking) to rewrite packets for connections between the Internet and the internal network.
Since SNAT entails modifying the source addresses and/or ports of packets just before they leave the kernel, it is performed through the POSTROUTING chain of the nat table.
iptables -t nat -A POSTROUTING -o eth1 -j SNAT
Destination NAT (DNAT) exposes specific services on an internal network to the outside world without linking the internal computers directly to the Internet. The gateway computer redirects connections to the specified ports to the designated internal computers and ports and arranges for return traffic to go back to the original address outside the network.
Since DNAT entails modifying the destination addresses and/or ports of packets just before they are either routed to local processes or forwarded to other computers, it is performed through the PREROUTING chain of the nat table.
For example, to forward inbound connections coming in on a gateway's port 80 (HTTP) to an internal web server running on port 8080 of 192.168.1.3, you could use a rule like this:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80
-j DNAT --to-destination 192.168.1.3:8080
Transparent Proxying
If you have an HTTP proxy (such as Squid) configured to run as a transparent proxy on your firewall computer and listen on port 8888, you can add one rule to redirect outbound HTTP traffic to the HTTP proxy:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80
-j REDIRECT --to-port 8888