1

iptables: Internal port forwarding with fwmark and routing tables

view story
linux-howto

http://serverfault.com – I have 2 servers and I need to forwart to internal port. To explain I use the server with 2 interfaces (internal/external) as server A and the internal server as server B. In server A i use iptables -A PREROUTING -t nat -i $extif -p tcp --dport $extif_port -j DNAT --to-destination $dst_ip:$dst_port" iptables -A FORWARD -t filter -d $dst_ip -j ACCEPT" iptables -A POSTROUTING -t nat -p tcp -s $dst_ip --sport $dst_port -j SNAT --to-source $extif_ip" And in the server B I use a fwmark and routing to the server A using fwmark and iproute2: ip rule $command fwmark 1 lookup 1 ip route $comman (HowTos)

grtyyu's picture
Submitted by grtyyu on 01/29/2013

Stories similar to iptables: Internal port forwarding with fwmark and routing tables

I realize this is an old thread. But seeing as there's little information about this to be found, i thought i should update this unresolved thread with my findings.Apparently the source address of a package is set before the fwmark routing table is looked up. Packages sent out on a non-default interface (based on fwmark) will thus have the source address of the default interface.

I'm trying to redirect all local connections with destination matchs port 22 to specified tunnel using iptables MARK, but, something is going wrong.

1.1.1.1 my public address 1.2.3.4 my local tunnel address

Here the configs:

# ip rule show 1: from all fwmark 0x14 lookup 20

# ip route show table 20 default via 1.2.3.4 dev tun0

And I have created following rules on iptables:

iptables

Here is the setup.

Hi! I'm trying to set up internet on my ubuntu 10.04 with 2 internet channels. I want to send all tcp packets through interface eth0 (isp1) and all udp packets through interface eth1 (isp2).

If I forward port 5764 to port 80 to my VOIP device, I can nmap and get a proper connection. If I forward port 5764 to port 22 to my server, it comes up filtered. It even happens if I try forwarding port 80 to my server. So I'm sure it has something to do with my server, but I'm not sure.

Here's my Linksys iptables:

Code: :wanin - [0:0]

I have a kippo honeypot setup on our local network, and our DMZ uses:

sysctl net.ipv4.ip_forward=1 ldconfig iptables -t nat -A PREROUTING -p tcp -s $ATTACKER_IP --dport 22 -j DNAT --to-destination 192.168.1.200:2222 iptables -t nat -A POSTROUTING -j MASQUERADE

There is also a port forward on the router so port 2222 can be hit from outside the network.

i migrate a ejabberd server to a vm with only private ip.

I've got a small network, two interfaces, eth1(local, internal range 192.168.150.0/24) and eth0 external, static ip.

I wish to set up nat forwarding for the internal network but allow them to only connect to an external server 209.60.x.x and reject connections to all other external ips.

How do i only allow forwarding/nat to ip 209.60.x.x ?

I have a basic setup that requires the following Client -> iptables DNAT -> Server using udp messaging:

The configuration I have on my client is: (my server is 172.33.1.30)

ifconfig eth0:1 172.32.1.10 netmask 255.255.0.0 ifconfig eth1 172.33.1.10 netmask 255.255.0.0 iptables -t nat -A PREROUTING -p udp -i eth0 -d 172.32.1.10 --dport 1001 -j DNAT --to 172.33.1.30 iptables -A FORWARD -p udp -i et