-1

Im trying to redirect the TCP connections a port multiple times to another ports, i tried this before but didn't work:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 60000 -j REDIRECT --to-port 60001
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 60001 -j REDIRECT --to-port 60002

I'm trying to get port 6000 to redirect tcp connections to port 60001, then port 60001 will redirect the connection to port 60002.

X -> Y -> Z

what can I do?

ceejayoz
  • 32,910
  • 7
  • 82
  • 106
Gabriel
  • 7
  • 2
  • I know there must be a reason, but can you tell why don't you redirect 6000 to 6002 directly? And maybe something about the use case? – Eduardo Trápani Jun 03 '20 at 04:41
  • @EduardoTrápani i will mitigate bot attacks 60000 -> 60001 (mitigate) -> 60002 (game server) – Gabriel Jun 03 '20 at 04:54
  • In what is this question different from https://serverfault.com/questions/1019744/im-trying-to-redirect-some-ports-with-iptables ? – A.B Jun 03 '20 at 05:07
  • 1
    So for the 3rd time I write again the same comment: On Linux you cannot NAT (redirect) with conntrack a flow that is already redirected with conntrack. I would write an answer to tell "no" (and give the technical reason)but I'm not sure that will help. – A.B Jun 03 '20 at 05:08
  • @A.B the hitcount on this question dont exist, on this question is more elaborate and easier to understand my difficulty. How can i redirect 1 port multime times like X -> Y -> Z? – Gabriel Jun 03 '20 at 05:39
  • 1
    Check this: http://xyproblem.info/ , https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem – A.B Jun 03 '20 at 05:58
  • 3
    Please do not blank your questions out when solved. – ceejayoz Jun 04 '20 at 15:50
  • 1
    Please don't make more work for other people by vandalizing your posts. By posting on the Stack Exchange (SE) network, you've granted a non-revocable right, under the [CC BY-SA 4.0 license](https://creativecommons.org/licenses/by-sa/4.0) for SE to distribute that content. By SE policy, any vandalism will be reverted. If you want to know more about deleting a post, consider taking a look at: [How does deleting work](https://meta.stackexchange.com/q/5221/295232)? – Glorfindel Jun 12 '20 at 19:30

2 Answers2

2

Your mitigate step needs to forward the connection to your game server, you cannot do this with IPTables.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
0

You cannot match the same packet twice with different DNAT rules. But you can make the whole structure more complicated and thus more flexible.

You can create a chain for each destination port you want to handle:

iptables -t nat -N port60000
iptables -t nat -N port60001

If you match a packet you do not send it to the DNAT target but to the respective chain:

iptables -t nat -A PREROUTING -p tcp --dport 60000 -j port60000
iptables -t nat -A PREROUTING -p tcp --dport 60001 -j port60001

In the original state the chains do the same as the old commands, just a bit more slowly...

iptables -t nat -A port60000 -p tcp -j DNAT --to-destination :60001
iptables -t nat -A port60001 -p tcp -j DNAT --to-destination :60002

If you want to change 60000 => 60001 to 60000 => 60002 then you can change the content of port60000:

iptables -t nat -A port60000 -p tcp -j port60001
iptables -t nat -D port60000 -p tcp -j DNAT --to-destination :60001

But that this is possible does not mean that this is better than recreating the rules after a change.

Hauke Laging
  • 5,285
  • 2
  • 24
  • 40