iptables forward port over two eth cards

Question

I have been searching the internet for an answer al morning, but I cant get it to work. If you can help me, I would be grateful.

my Setup: server: eth1: 192.168.6.2 (connected to the internet -> WAN) eth0: 192.168.0.1 (LAN)

local computer: running a service on port 8848 working on IP number 192.168.0.3

Everything is shut tight with IPtables so that people in the building can not access the local LAN (192.168.0.x) and the LAN uses the internet via eth1:

### Set Variables
IPTABLES='/sbin/iptables -v'
WAN='eth1'
LAN='eth0'

#EXTERNAL_INTERFACE=WAN
#EXTERNAL_IP=WAN_IP
WAN_IP=$( ifconfig $WAN | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $1}' )
LAN_IP=$( ifconfig $LAN | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $1}' )
echo '########################################################## NAT config WAN <=> LAN #'
$IPTABLES -t nat --append POSTROUTING --out-interface $WAN --jump MASQUERADE
$IPTABLES --append FORWARD --in-interface $WAN --out-interface $LAN -m state --state RELATED,ESTABLISHED --jump ACCEPT
$IPTABLES --append FORWARD --in-interface $LAN --out-interface $WAN --jump ACCEPT

echo '############################### Allow unlimited traffic on the loopback interface #'
$IPTABLES --append INPUT  --in-interface  lo   --jump ACCEPT
$IPTABLES --append OUTPUT --out-interface lo   --jump ACCEPT
$IPTABLES --append INPUT  --in-interface  $LAN --jump ACCEPT
$IPTABLES --append OUTPUT --out-interface $LAN --jump ACCEPT

echo '################################################ Allow unlimited outbound traffic #'
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES --append INPUT  -m state --state ESTABLISHED,RELATED     --jump ACCEPT
$IPTABLES --append OUTPUT -m state --state NEW,ESTABLISHED,RELATED --jump ACCEPT

The server (LAN 192.168.0.1 and WAN 192.168.6.2) runs Apache, opening that one up for WAN works fine (tested) and I can access websites connecting to 192.168.6.2 via an IP number in the range 192.168.6.x:

$IPTABLES --append INPUT --proto tcp --source 0/0 --dport  80 -m state --state NEW --jump ACCEPT

so I opened port 8848 first:

$IPTABLES --append INPUT --proto tcp --source 0/0 --dport 8848 -m state --state NEW --jump ACCEPT

Then I get stuck.. I have tried everything, but I can't find the solution to to access the service on port 8848 on 192.168.0.3 via 192.168.6.2 (commands containing FORWARD, PREROUTING, POSTROUTING, MASQUERADE, DNAT nat)

Can you help me?

[edit] To complete the whole bash script, after setting the LAN and WAN variable I clean up with:

echo '####################################################################### clear all #'
$IPTABLES --flush
$IPTABLES --delete-chain
for TABLE in filter nat mangle; do
    $IPTABLES --table $TABLE --flush        # delete the table's rules
    $IPTABLES --table $TABLE --delete-chain # delete the table's chains
    $IPTABLES --table $TABLE --zero         # zero the table's counters
done

And I end my bash script with:

echo '############################################################ Set default policies #'
$IPTABLES --policy INPUT   DROP
$IPTABLES --policy OUTPUT  DROP
$IPTABLES --policy FORWARD ACCEPT

echo '########################### Have these rules take effect when iptables is started #'
/sbin/service iptables save
/sbin/service iptables restart`

[ANSWER / SOLUTION]

With thanks to this page I have finaly got it working robustly:

echo '################################################################# Port forwarding #'
FROM_PORT='8848'
TO_PORT='8848'
TO_IP='192.168.0.3'

$IPTABLES -t nat -A PREROUTING  -p tcp -d $WAN_IP --dport $FROM_PORT -j DNAT --to-destination $TO_IP:$TO_PORT
$IPTABLES -t nat -A POSTROUTING -p tcp -d $TO_IP  --dport $TO_PORT   -j SNAT --to-source $WAN_IP

score 0 · Accepted Answer · answered Dec 22 '15 at 11:06

0

Try this:

/sbin/iptables -t nat -I PREROUTING -i eth1 -d 192.168.6.2 -p tcp --dport 8848 -j DNAT --to-destination 192.168.0.3:8848

Now you can access 192.168.6.2:8848 and packets will be sent/nated to 192.168.0.3 on the same port.

answered Dec 22 '15 at 11:06

Copche

61
1
3

Thank you @Copche for answering, I tried this, no joy. also localy (192.168.0.x) I can see the service via: https://192.168.0.3:8848/ – Ace T Dec 22 '15 at 11:21
But you made me think of something else! I tested if I could connect to 192.168.0.3:8848 via an other comuter in the LAN, the conclusion was that Windows Firewall blocked external connections!! Thank you, it works now, with just your single line!! – Ace T Dec 22 '15 at 11:40
You would be my hero if you could tell me how to do the same but also from an other port (lets say 5432 WAN ) to 8848 LAN – Ace T Dec 22 '15 at 14:09
For your 2nd example, use `/sbin/iptables -t nat -I PREROUTING -i eth1 -d 192.168.6.2 -p tcp --dport 5432 -j DNAT --to-destination 192.168.0.3:8848` and change ports/IPs as needed. – Joel C Dec 22 '15 at 17:30
thank you @joel-c and copche for helping me out. Now the weird thing.. reloaded my bash script.. and now it does not work any more?? was there something lingering from a previous test? are you both shure this single line should be enough? – Ace T Dec 22 '15 at 21:08
should I be doing some POSTROUTING also? I found this (won't work eigther though) FROM_PORT='8848' TO_PORT='8848' TO_IP='192.168.0.3' $IPTABLES -t nat -A PREROUTING -i $WAN -d $WAN_IP -p tcp --dport $FROM_PORT -j DNAT --to-destination $TO_IP:$TO_PORT $IPTABLES -t nat -A POSTROUTING -p tcp -d $TO_IP --dport $TO_PORT -j SNAT --to-source $WAN_IP – Ace T Dec 22 '15 at 21:25
I have figured it out! I'll work out the answer in the question section (it gives me more options for formatting Thank you both for your time – Ace T Dec 23 '15 at 13:39

iptables forward port over two eth cards

1 Answers1