Re: iptables port fowarding?
On Sun, Feb 17, 2002 at 06:55:08PM -0500, Rick Pasotto wrote:
> On Sun, Feb 17, 2002 at 03:43:25AM -0800, Jeremy T. Bouse wrote:
> > On Sun, Feb 17, 2002 at 12:37:08AM -0500, Rick Pasotto wrote:
> > > How do I port forward with iptables? With ipchains the command was:
> > >
> > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port
> > iptables -t nat -A PREROUTING -p tcp -s <SRC_IP> -d <EXT_IP>
> > --destination-port <PORT> -j DNAT --to-destination <INT_IP>:<PORT>
> iptables -t nat -A PREROUTING -p tcp -s 188.8.131.52 -d 192.168.0.1
> --destination-port 2047 -j DNAT --to-destination 192.168.0.5:2047
Okay this states it will only port forward if the packet is
being sent from 184.108.40.206 destined for 192.168.0.1 then redirect it
If I understand your intent I'm assuming 220.127.116.11 is your
external public IP and you want any connection attempt to port 2047/tcp
to go to 192.168.0.5 on the same port... In that case I would use:
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 18.104.22.168 \
--destination-port 2046 -j DNAT --to-destination 192.168.0.5
Assuming that 192.168.0.1 is the internal IP on the same box
that has the external IP 22.214.171.124... If this isn't correct you'd be
welcome to contact me privately and I can try helping you out... I have
5 static public addresses that I NAT into my network using private
IPs with a rather extensive set of rules...
> When I activate the program on the windows box (192.168.0.5) tcpdump
> reports lots of hits on eth0 port 2047 but nothing on eth1 port 2047
> and the program doesn't respond like it should.
> What am I misunderstanding? Does it matter whether the SNAT (to do
> masquerading) or the DNAT rule comes first?
Doesn't matter whether SNAT/Masq comes before DNAT as far as I
am aware as DNAT is done PREROUTING and SNAT/Masq is done POSTROUTING...
In this case remember that DNAT rules will be tried before it has
applied any SNAT/Masq rules... The only order to keep in mind is that
the rules on each table are check'd in the order they are added to the
chain... It will match the first rule it encounters so that order is
> Also, how do you list the nat chains? 'iptables -L' only lists the
> filter chains.
If you do a 'iptables -t nat -L' you can list the NAT tables...
'iptables -L' is the same as 'iptables -t filter -L' which is only the