Problem with iptables

**the-phoenix61** · April 14th, 2016

Hi all, i have testing my firewall but have a problem with redrect traffic

How do i redirect traffic from my wan ip to my local ip ?

Let say my lan ip is 192.168.1.77
Then i have iptables -t nat -A POSTROUTING -s 192.168.1.77 -j MASQUERADE
Now i want to redirect traffic from my WAB to my Lan ip

iptables -t nat -A PREROUTING -d WANIP -p tcp --dport <port> -j DNAT --to-dest 192.168.1.77:80
iptables -t nat -A POSTROUTING -d WANIP -p tcp --dport <port> -j SNAT --to-source 192.168.1.77:80

But i can`t get it working .. Also port redirect is not working
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Earlier i has configure a firewall on another machine and thats working good but the redirect traffic rules
are a diffecult problem for me when i just begin with it, can`t get it working..

Any one have a full workinf iptable rule and a good example how to work ? Thx..

**SeijiSensei** · April 14th, 2016

iptables -t nat -A PREROUTING -d WANIP -p tcp --dport <port> -j DNAT --to-dest 192.168.1.77:80

If "WANIP" refers to an environment variable, it needs to be preceded with a dollar sign: $WANIP. I take it you have a real port number for <port>.

Is the REDIRECT rule actually doubled like that in the ruleset, or is that just a typo?

Does the default gateway on 192.168.1.77 point to the box where the iptables ruleset runs? Usually these kinds of rules only work well when they are on a gateway router.

**the-phoenix61** · April 18th, 2016

First i wand try the the local adress to redirect port 80 to 8080 for the webserver for example..
Local adres is 192.168.1.77 gate way modem is 192.168.1.254

Just for testing

iptables -A FORWARD -m state -p tcp -d 192.168.1.77 --dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state -p tcp -d 192.168.1.77 --dport 8080 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables- A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables-restore /etc/iptables/myrules

ufw reload

When i connect with apache2 to 192.168.1.77:8080 i have connection refused ..

But i realy can`t get it working, see a lot of video s but the simple ecample config just don`t works.. Plz Help .. Thx

**SeijiSensei** · April 19th, 2016

Did you enable packet forwarding in /etc/sysctl.conf? By default Ubuntu will not forward packets across interfaces. Remove the hash mark from the beginning of the line

Code:

net.ipv4.ip_forward=1

in sysctl.conf and reboot.

**the-phoenix61** · April 20th, 2016

Hi
I have allrady ipforwadr is 1 in sysconfig and also net.ipv4.conf.all.accept_redirects = 1
i have a webserver on port 80 and test it with the links brouwser but port red ( links 192.168.1.77:8888 or port 7777 are not working.
This are my iptables rules in /etc/iptables/myrules

I test it from example point 24 portforwarding
http://www.thegeekstuff.com/2011/06/...ules-examples/

# Generated by iptables-save v1.4.21 on Wed Apr 20 01:39:41 2016
*nat

REROUTING ACCEPT [2:120]
:INPUT ACCEPT [2:120]
:OUTPUT ACCEPT [6:438]

OSTROUTING ACCEPT [6:438]
-A PREROUTING -d 192.168.1.77 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.77:7777
COMMIT
# Completed on Wed Apr 20 01:39:41 2016
# Generated by iptables-save v1.4.21 on Wed Apr 20 01:39:41 2016
*filter
:INPUT ACCEPT [87:10128]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92:14581]
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 7777 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 7777 -m state --state ESTABLISHED -j ACCEPT

COMMIT

links 192.168.1.77:80 ok connect but
links 192.168.1.77:8080 and links 192.168.1.77:7777 both connection refused.

It realy drives my crazy why it is not working on linux mint 17 and i have uninstall ufw fire wall command and have only iptables..
Please help me to get it working .. thx.

**SeijiSensei** · April 20th, 2016

-A PREROUTING -d 192.168.1.77 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.77:7777

Are you trying to reroute packets intended for port 80 to port 7777 on the same machine? If so, use the REDIRECT target instead:

Code:

-A PREROUTING -d 192.168.1.77 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 7777

That sends packets arriving on port 80 of 192.168.1.77 to port 7777 on the localhost interface, 127.0.0.1. Give that a try.

**the-phoenix61** · April 21st, 2016

hi,
i have try to edit the rul but its not working
Then i have see a video from ytube to red the ports and i have tested on the linux mint but conn 192.168.1.77:80 works but port 8080 refused..

https://www.youtube.com/watch?v=Fq2FwaT9yRQ

Now i am lost and just can`t getting it work after see all information, these aer my ip tables , please hellp me .. thx

# Generated by iptables-save v1.4.21 on Wed Apr 20 21:18:36 2016
*filter
:INPUT ACCEPT [1:60]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21:3459]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Wed Apr 20 21:18:36 2016
# Generated by iptables-save v1.4.21 on Wed Apr 20 21:18:36 2016
*nat

REROUTING ACCEPT [41:2670]
:INPUT ACCEPT [41:2670]
:OUTPUT ACCEPT [148:10672]

OSTROUTING ACCEPT [53:3686]
-A POSTROUTING -o eth0 -j MASQUERADE
-A FORWARD -i eth0 -m state --state RELATED. ESTABLISHED -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport80 -j DNAT --to-destination 192.168.1.77:8080
-A FORWARD -d 192.168.1.77 -i eth0 -t tcp -m tcp --dport 8080 accept
-A FORWARD -d 192.168.1.77 -i eth0 -t tcp -m tcp --dport 80 accept
COMMIT
# Completed on Wed Apr 20 21:18:36 2016

Can you past me the correct tables to get it working and is ther somting with host i get also
no route to host and i have setup static network. Thx

If i want to save it must i use iptables-restore < /etc/iptables/myrules or iptables-save /etc.iptables/myrules ?

**SeijiSensei** · April 21st, 2016

You didn't change the PREROUTING rule to use REDIRECT as I suggested. Did you try that or not? Also I assume there is really a space in the actual rule rather than "dport80".

Are you sure there is something listening on 8080? Try "telnet 192.168.1.77 8080". Does the server reply or does it time out?

**the-phoenix61** · April 22nd, 2016

Good news, i got the message try to connected on 192.168.1.77:8080 and it stay`s but i am not in. When i google further i found that
it was connected on my wanip:8080 so it works only with the WAN ip on port 8080 but not on the LAN ip 192.168.1.77:8080
I have try also the ip replace for 127.0.0.1 but the problem "no route to host" exist and i wanna find the reason for this problem.
I try to get the ip 192.168.1.0 in the forward rule because i think that is the problem, i try to fix it but no luck

iproute -I INPUT -s 192.168.0.1 -j ACCEPT
iproute -I FORWARD -s 192.168.0.1 -j ACCEPT

route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0

Thx for advise