Networking :: Using Iptables Dnat For Redirection?
Oct 18, 2010
I have been trying to achieve something through iptables but something is going wrong. I want connection/packets arriving to a specific computer (let's call it "server") from another specific computer ("client") inside the same network to be automatically redirected to a remote computer in the internet and vice-versa. I tried doing that using iptables with these commands on the "server" PC:
Code:
iptables -t nat -A PREROUTING --source 'client-ip' -j DNAT --to-destination 'remote-pc-ip'
iptables -t nat -A PREROUTING --source 'remote-pc-ip' -j DNAT --to-destination 'client-ip'
[code]....
View 2 Replies
ADVERTISEMENT
Mar 10, 2011
I'm having a complicated iptables problem. I'm using a linux poweredge 1750 with 4 ethernet interfaces and 1 wireless interface as a router/firewall/wireless access point.
The Computers on the inside can connect and communicate just fine. The access the outside world and other internal devices with no problems.
DNAT from the outside works just fine for things like ssh, webmin and http. But some protocols and services (ftp with filezilla and runuo) use ports to connect. And then, it is like they hand off the rest of the communication to other seemingly randomly determined ports. And that is when the conversation gets dropped. How do I configure my router to notice these port changes and continue to DNAT the conversation?
View 2 Replies
View Related
Nov 26, 2009
Client which uses an ISP with a Linux machine (Server 1) with two network cards. Eth0 with ip 1.1.1.2 and gateway 1.1.1.1 these ip's is not public ip's and falls unders the isp's internal range, eth1 with the internal ip range. OpenVPN listen on eth0 for incoming connections. We want to connect to Server1 from external networks. Due to different reasons the isp could not get the routing sorted and give us an public ip on his network. We had to setup another bos (Server2) with eth0 2.2.2.5 and gateway 2.2.2.1 which is public ip's and eth1 with ip 3.3.3.5. Server 2 can communicate via the ISP internal network with server 1. I use DNAT to forward all incoming connections on server 2 to server 1 but the problem I have is that server uses its default gateway for the return packages and does not sent the reply back to server 2. My iptables rules looks as follows on server 2.
/usr/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d 196.25.157.135 --dport 1194 -j DNAT --to 192.168.100.170:1194
/usr/sbin/iptables -A FORWARD -p udp -i eth0 -d 192.168.100.170 --dport 1194 -j ACCEPT
View 5 Replies
View Related
Jun 17, 2010
There is this server where in I want to use port redirection using iptables. For port redirection I have used nat table with PREROUTING chain and REDIRECT option. Like:
Code:
iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to-port 8110
It just does not work. I have tried to redirect other ports as well but nothing works.
[code]....
View 15 Replies
View Related
Aug 26, 2010
I'd like to (if it's possible, of course) to redirect the packets originated within a linux box, and I've been tryin' to do it through the OUTPUT chain in nat table:
Code:
iptables -t nat -A OUTPUT -p tcp -d 192.168.0.74 --dport 80 -j DNAT --to-destination 192.168.0.17:80
The policy for the rest is ACCEPT.This redirection didn't work this way. If I do lynx http://192.168.0.74:80 I reach 192.168.0.74 host, so there is no redirection.Could I achieve what I'm needing through with IPTABLES' OUTPUT chain (in nat table)?
View 1 Replies
View Related
Aug 19, 2010
I am trying to simply address translate TCP packets from one destination IP to another destination IP (DNAT?) without getting the initial SYN packet. Is this possible? I do not think it is with DNAT since the conntrack needs SYN first.
I have given the command:
The problem is that the first packet that matches this rule will be the SYN-ACK and I suspect it is simply DROPPED.
I am sparing you the gory details of why I would do such a silly thing, but simply put; I need to intercept client-to-server packets through a tunnel, but allow server-to-client packets to follow through the regular network.
I have been working on this for many days w/o success and my learning curve is still steep. I can provide more details as needed.
View 2 Replies
View Related
Dec 4, 2009
I'm having problems with NX, it's doing strange things, trying to connect to some IP host in timbuktoo because my DNS provider's DNS sucks AND because NX is looking up the host "localhost" without first consulting my hosts file (which nsswitch explicitly tells it to do). THAT's all beside the point.
To work around this apparent bug in NX I tried creating an iptables rule to redirect traffic destin for a certain IP (10.x.x.x) to localhost (127.0.0.1) with the following rule: iptables -t nat -I PREROUTING -d 10.x.x.x -j DNAT --to 127.0.0.1. After adding the above rule, my attempts to connect to that host continued to get routed right off into the internet where I DIDN't want them to go. Instead of being redirected to the localhost/loopback address.
It seems DNAT to localhost is not supported? A Google search reveals many other people having this issue but blaming it on everything but iptables. I'm proposing that it's not supported, by design or not, to redirect traffic from a NIC to the loopback network?
View 1 Replies
View Related
Jun 3, 2011
I'm trying to understand and set up port forwarding with iptables. So far I've read a lengthy tutorial on iptables, and I've Googled for hours, searched this forum, but I've been unable to come up with a solution that works for me.The situation I would like to achieve is the following: on one machine, there is a TCP server running bound to its external IP, port 9999. I would like to let another machine connect to this TCP server on port 9000 by forwarding port 9000 to 9999.All the policies of the iptables chains are set to ACCEPT; and I have set net.ipv4.ip_forward = 1. I have no problems using SNAT/MASQUERADE on the same server machine.I have tried the following:
Code:
iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${SERVER_IP} --dport 9000 --sport 1024:65535 -j DNAT --to ${SERVER_IP}:9999
In order to test this rule, I started a TCP echo server on port 9999. I can connect to it on port 9999, but not on port 9000- this gives me 'connection timed out'. When I do 'iptables -t nat -L -v', I can see that the rule does get matched once per connection attempt.
View 1 Replies
View Related
Jan 27, 2010
Ok, here goes, I have a rdp server sitting at a remote store which is behind a router I do not control.
I might be able to get the phone company to add routing to it but at the moment I'd like to do this with ssh and reverse port routing, because I might need this for other ports later and I never know if the phone company wont break other routings already in place or just screw up the entire thing .
I am able to have a linux box at the site ssh into a server located where I'm at and reverse port forward port 3389 to that server. I can also then ssh into that server from my linux box and port forward 3389 to my box, under another port since my 3389 is already in use. Finally I can use rdesktop to rdp on the my local box which bounces it through the server and back to the linux box which forwards it to the rdp server (A Windows 2008 server to be exact). This is all well and good and works reasonably fast, but, I need to be able to have users on windows boxes at my site do this without all of the rigmarole. I need to, I guess, redirect a normal open port, or create one, on the server where I am so that it connects internally to the reverse forwarded port or open the internal port to the outside. So I guess I need to make it a 'gateway' for that one port, this way all I have to do is point the rdp clients at the main server and port to have it eventually connect to the rdp server in the remote store.
how to go about doing it. I guess I need an iptables entry forwarding the port but I'm not sure what is should be.
The other option is opening up the port 3389 to the outside but I'm not sure how to do that either. Right now I have no iptables entries at all but even if I turn off iptables completely port 3389 is not available if I try to use it from another pc on the network but I can rdp from the server itself using the 3389 port so I know it's working internally.
View 2 Replies
View Related
Mar 29, 2009
I am using squid proxy server in my Linux machine for caching. Now i want run my squid in transparent mode not set proxy settings in browsers.Like squid is running port 3128. If we redirect the port 80 packets to port 3128, looping is occurred.How to avoid looping?
View 5 Replies
View Related
Jan 17, 2011
I'm have a base level understand of linux at this point. I have Debian box that I am trying to do some port redirection with.
I have my external NIC as eth0 with an IP of x.x.250.5.
I have my internal NIC as eth1 with an IP of 192.168.1.1.
On the internal network I have a NAS box with a web interface at 192.168.1.100. What I need is to set it up so that a request to x.x.250.5:8080 will some how forward/redirect to the internal network NAS box at 192.168.1.100:80.
View 3 Replies
View Related
Feb 9, 2011
I'm currently setting up a squid proxy which will be installed on a debian system configured as a bridge eth0/eth1 as br0. The problem I'm having is that port 80 requests are being proxied both ways where I only want the requests coming in via eth1 to be proxied.
Is there a way to do this? I've already tried changing the "-i br0" in the iptables redirection to "-i eth1" but no data appears to go through it.
View 2 Replies
View Related
Feb 7, 2010
I have a machine with two network cards running linux mint 8 XFCE (which is compatable with Ubuntu Intrepid Ibex). eth0 gos out onto the network propper, has a static IP address of 10.10.10.10 and serves DHCP requests for the 10.10.10.x subnet.
eth1 is pluged into a PPPoE concentrator, and has a static address of 192.168.0.1 (I would have left it alone but pppoeconf wouldn't work unless it had an address).
ppp0 is the piont to piont over ethernet conection that is corectly created when I run pon. I have both guard dog and guide dog installed but they are both disabled.
Now, the weird part: I can ping the IP number of the machine at the other end of the pppoe conection (when it changes I can still ping the new number), the local IPs (10.10.10.x), but *nothing* else not even the DNS servers passed to the machine during ppp conection which are in the same sub net as the machine I can ping.
When I try to ping or trace the route I get an error message like: reply from 10.10.10.10: desination unreachable There is nothing wrong with the network at the other end, as I can make an Identical PPPoE connection from other machines on the network if the the concentrator is pluged into the hub (a rather unsafe place for it to be) and it all just falls into place.
What seems to be happening is that the machine is treating eth0 rather than ppp0 as the internet gateway, and passing the packets round in circles.
View 12 Replies
View Related
Jun 3, 2010
This seems to be a catch-all "... we didn't resolve your link request so we are sending you here ..." page. It lists various candidate links as alternatives to the link I was seeking. Strangly, the page often lists the exact same link that I sought in the first place. I can understand the occasional DNS lookup failure due to heavy net traffic, heavy demand for the target name serverheavy demand for a specific site link, and so on. Sadly, this happens to me at least daily and often several times every day. That hardly qualifies as "occassional" under any reasonable definition.I am in Austin, Texas -- supposedly one of the US "very wired" cities.Can anyone shed light on this happening?Is there anything that I might be doing to provoke this happening?Is Time Warner DNS in general or Austin in specific just that bad?I've tried brief experiments with other DNS servers, but they each presented their own troubles. I suspect a loose nut in the net-admin chair
View 12 Replies
View Related
Nov 26, 2010
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies
View Related
Sep 17, 2010
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[code]....
View 6 Replies
View Related
Nov 3, 2010
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
[code]....
Safe.txt contains:
Code:
127.0.0.1
192.168.1.8
192.168.1.1
98.200.58.73
192.168.0.1
And the error message generated is:
Code:
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh
' not found.4.4: host/network `127.0.0.1
Try `iptables -h' or 'iptables --help' for more information.
' not found.4.4: host/network `192.168.1.8
[code]....
View 3 Replies
View Related
Jul 17, 2010
IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
View 11 Replies
View Related
Apr 16, 2011
I am running Ubuntu server 10.10 and trying to setup iptables rules in /etc/if-up.d/iptables
Quote:
root@host# cat /etc/network/if-up.d/iptables
#!/bin/sh -e
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Problem is that iptables doesn't get updated and I don't see them when iptables -L is executed after reboot.
View 2 Replies
View Related
Apr 28, 2009
To expand: I'm trying to set up a box with l7-filter, and I need to patch and compile iptables 1.4.1.1 as part of the process. I ./configured it with the prefix= argument so it would install into /sbin instead of /usr/sbin, and I did a yum remove iptables before installing it so as not to get in the way of the original iptables, but I'm wondering if this is really necessary - it's kind of annoying, because removing the original iptables removes the init.d script, deregisters the service, etc. If I don't, is it possible that iptables 1.4.1.1 might get overwritten in a system update or something, or will yum see that I've got a custom/newer version in there and leave it be?
View 4 Replies
View Related
Jul 10, 2010
This is an examination senario. We have mulitple users logging into a RHEL-4 server using putty. These people are part of a same group. They are giving UNIX shell script exam.They are helping each other copy the code by using redirection to /dev/pts/x. Is there any way I can stop this redirection?
View 1 Replies
View Related
Feb 10, 2010
Under what condition port redirection could go useful?
View 2 Replies
View Related
Apr 28, 2011
I got a peculiar request at work, and maybe you folks can help me out.I want to rewrite URL 'foo.com' as 'bar.com' (in the browser address bar) still display the content of 'foo.com'
View 2 Replies
View Related
Feb 5, 2010
Iptables manual page says:
Why doesn't it make sense for packets coming from a wireless interface?
View 1 Replies
View Related
May 7, 2010
I have set up OpenVPN for my connection. I'm using this to connect to the internet from different locations using tunnelling.
Right now I have a few IP's : on eth0 I have IP from my ISP, on eth0:1 I have my own IP.I set up MASQUERADE to eth0 - but in this case when I try to access my restricted resources IP address from ISP is visible.
What I want is to use my own IP address from eth0:1 - could somebody help me to build good working redirect entry for that? I want to redirect all connections to that IP assigned on eth0:1... - just to access Internet using my IP.
View 3 Replies
View Related
Nov 11, 2010
How can I add ip address which is multiple of 3 and to 255? That is I want to block ip address which is coming from multiple of 3 to 255.
As an example 192.168.0.3,192.168.0.6,192.168.0.9,192.168.0.12 etc.
View 4 Replies
View Related
Mar 2, 2010
how to allow a specific hostname with specific ports in iptables?
View 1 Replies
View Related
Apr 24, 2011
We are stuck big time with IP forwarding where we have to use IP tables. Any advice will be appreciated.
Setup
Machine A --> Machine B -->Machine C
- Machine A connects with Machine B on "internal network"
- Machine B has 2 NIC (and two IP address) , one connected to Machine A (internal network) and one connected to Machine C (External Network)
We need all traffic coming from Machine A which flows to Machine B on port 60 to be directed/forwaded to Machine C (port 60).
Not allowed to configure Machine B as a gateway . Things work with rinetd program when we do a tcp redirect from Machine B port 60 to Machine C (port 60).
But just unable to make it work with IP tables rules. We tried following,but in vain
iptables -t nat -A PREROUTING -s Machine_A -d Machine_C -p tcp --dport 60 -j DNAT --to-destination Machine_C .6:60
/sbin/iptables -A FORWARD -i Machine_B -o Machine_C -p tcp --dport 60 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Any valued inputs?
View 4 Replies
View Related
Jul 26, 2010
pc need download file from internet ftp server, but can't now, how set iptables ?
iptables mod
[root@ad ~]# lsmod |grep ip
ip_nat_ftp 7361 0
ip_conntrack_ftp 11569 1 ip_nat_ftp
[code]....
View 4 Replies
View Related
Dec 13, 2010
I have 2 Linux boxes one acting as a router with a direct connection to the internet, second as a server using the first box as a gateway to the internet. I need to forward requests that I get from the outside to port 8400 to my internal server box at 192.168.0.7:8400
Router IP 192.168.0.5
Server IP 192.168.0.7
iptables -t nat -A PREROUTING -p tcp -d [internet ip] --dport 8400 -j DNAT
[code]...
These rules are on the router (192.168.0.5) I've been trying to find a solution for hours with no success. Basically the problem is I can forward ports on the same box but not to a different ip.
View 1 Replies
View Related
