6

I have a few port forward rules like this

iptables -t nat -A PREROUTING -p tcp --dport 46000 -j DNAT --to-destination 172.16.8.2:46000
iptables -A FORWARD -p tcp -d 172.16.8.2 --dport 46000 -j ACCEPT

I wonder if there is a way to add new forward rules in one line instead of two so I don't have to enter the same data twice. I mean rules like this:

  1. In nat PREROUTING forward packet to destination and mark it
  2. In filter FORWARD allow all packets that were marked using rule 1

Is it possible?

Poma
  • 1,299
  • 6
  • 24
  • 35

1 Answers1

4

It is not possible to get this done with only one command per DNAT – unless... see below. But it is possible to enter the data just once.

Let's define the mark range 1024–2047 for connections which get DNATted and forwarded.

One line with each DNAT match condition in mangle:

iptables -t mangle -A PREROUTING -p tcp --dport 46000 -j MARK --set-mark 0x400
iptables -t mangle -A PREROUTING -p tcp --dport 46001 -j MARK --set-mark 0x401
iptables -t mangle -A PREROUTING -p tcp --dport 46002 -j MARK --set-mark 0x402

One command for each in nat:

iptables -t nat -A PREROUTING -m mark --mark 0x400 -j DNAT \
  --to-destination 172.16.8.2:46000
iptables -t nat -A PREROUTING -m mark --mark 0x401 -j DNAT \
  --to-destination 172.16.8.2:46001
iptables -t nat -A PREROUTING -m mark --mark 0x402 -j DNAT \
  --to-destination 172.16.8.2:46002

One command for all in filter:

iptables -A FORWARD -m mark --mark 0x400/0x400 -j ACCEPT

BTW: There is no need to give the destination port for -j DNAT if it is not changed.

Edit 1:

You can do that if you do without allowing the connections explicitly, if you are fine with allowing everything that has been DNATted. In that case you would stick to your

iptables -t nat -A PREROUTING -p tcp --dport 46000 -j DNAT --to-destination 172.16.8.2:46000

but have only one FORWARD rule for all:

iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
Hauke Laging
  • 5,285
  • 2
  • 24
  • 40
  • That's still 2 commands for each port, one in mangle and one in nat – Poma Jun 07 '13 at 15:10
  • @Poma That's correct and when I realized that I was going to write a different answer ("It's not possible"). But then I also noticed that you did not only ask for a one command solution (which is impossible according to my understanding) but also for "not entering the data twice". And at least that is the case with my solution. – Hauke Laging Jun 07 '13 at 15:16
  • @Poma See the edit: There is a one command solution which is not equivalent but similar to your original rule set. – Hauke Laging Jun 07 '13 at 15:34
  • yes that's just what I need – Poma Jun 07 '13 at 15:38
  • How to set mark by the hostname? – cold_coder Jan 09 '17 at 15:37
  • Could I do the same with UDP? I'm trying a similar solution but the packets do not arrive to the nat table. – kato2 Jul 08 '21 at 09:09
  • @kato2 UDP packets certainly go through the nat table. Maybe you used PREROUTING where you would have needed OUTPUT. – Hauke Laging Jul 08 '21 at 13:43
  • @HaukeLaging you might be right, however adding this rule after the current ones, solved the issue iptables -t mangle -A PREROUTING -p udp --dport 46000 -j CONNMARK --save-mark – kato2 Jul 09 '21 at 14:59