Foward ports with iptables NAT rules?Port Mirroring using iptables - copy all traffic among nginx on :80 and Apache on :8080iptables - Redirect web traffic to LAN ServerAlter DST port on bridged trafficFreeBSD load balancer implementationiptables rule to snat port and ip on AWS instanceiptables - 2 Internetprovider - routingImplicit Inverses for iptables NAT RulesLocal port forwarding using iptables is not workingDROP or REJECT packets from PREROUTING NAT table in iptablesPort forwarding over OpenVpn

School performs periodic password audits. Is my password compromised?

How do I increase the number of TTY consoles?

What would be the most expensive material to an intergalactic society?

What is Tony Stark injecting into himself in Iron Man 3?

Should we avoid writing fiction about historical events without extensive research?

"If + would" conditional in present perfect tense

Translation of 答えを知っている人はいませんでした

Can one live in the U.S. and not use a credit card?

Would those living in a "perfect society" not understand satire

How to copy the rest of lines of a file to another file

Use Mercury as quenching liquid for swords?

How to educate team mate to take screenshots for bugs with out unwanted stuff

Why do we say 'Pairwise Disjoint', rather than 'Disjoint'?

Writing text next to a table

Are these two graphs isomorphic? Why/Why not?

How do we create new idioms and use them in a novel?

Is there a way to make cleveref distinguish two environments with the same counter?

Under what conditions can the right to remain silent be revoked in the USA?

Create chunks from an array

Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?

Locked Away- What am I?

Why does Central Limit Theorem break down in my simulation?

Help! My Character is too much for her story!

PTIJ: Who was the sixth set of priestly clothes for?



Foward ports with iptables NAT rules?


Port Mirroring using iptables - copy all traffic among nginx on :80 and Apache on :8080iptables - Redirect web traffic to LAN ServerAlter DST port on bridged trafficFreeBSD load balancer implementationiptables rule to snat port and ip on AWS instanceiptables - 2 Internetprovider - routingImplicit Inverses for iptables NAT RulesLocal port forwarding using iptables is not workingDROP or REJECT packets from PREROUTING NAT table in iptablesPort forwarding over OpenVpn













0















I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



Example picture



So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



I've tried the following on the "NAT server",



Example A - NAT#1 port 4000 to Server Group A

sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

Example B - NAT#2 port 5000 to Server Group B

sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


UPDATE




I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
FW will drop the traffic.




This works, kind of.



sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
sudo firewall-cmd --reload


but not with one zone. As they write in RedHat firewall doc,



A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



So I have to use two zones. Is this possible with two aliases?!?



UPDATE



This worked...



firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





rhel iptables port-forwarding nat







share|improve this question




























    0















    I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



    Example picture



    So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



    I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



    I've tried the following on the "NAT server",



    Example A - NAT#1 port 4000 to Server Group A

    sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
    sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

    Example B - NAT#2 port 5000 to Server Group B

    sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
    sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


    UPDATE




    I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
    FW will drop the traffic.




    This works, kind of.



    sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
    sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
    sudo firewall-cmd --reload


    but not with one zone. As they write in RedHat firewall doc,



    A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



    So I have to use two zones. Is this possible with two aliases?!?



    UPDATE



    This worked...



    firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
    firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
    firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





    rhel iptables port-forwarding nat







    share|improve this question


























      0












      0








      0








      I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



      Example picture



      So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



      I've tried the following on the "NAT server",



      Example A - NAT#1 port 4000 to Server Group A

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

      Example B - NAT#2 port 5000 to Server Group B

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


      UPDATE




      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
      FW will drop the traffic.




      This works, kind of.



      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
      sudo firewall-cmd --reload


      but not with one zone. As they write in RedHat firewall doc,



      A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



      So I have to use two zones. Is this possible with two aliases?!?



      UPDATE



      This worked...



      firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
      firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
      firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





      rhel iptables port-forwarding nat







      share|improve this question
















      I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



      Example picture



      So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



      I've tried the following on the "NAT server",



      Example A - NAT#1 port 4000 to Server Group A

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

      Example B - NAT#2 port 5000 to Server Group B

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


      UPDATE




      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
      FW will drop the traffic.




      This works, kind of.



      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
      sudo firewall-cmd --reload


      but not with one zone. As they write in RedHat firewall doc,



      A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



      So I have to use two zones. Is this possible with two aliases?!?



      UPDATE



      This worked...



      firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
      firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
      firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





      rhel iptables port-forwarding nat




      rhel iptables port-forwarding nat






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 14 mins ago









      Rui F Ribeiro

      41.3k1481140




      41.3k1481140










      asked Dec 13 '16 at 13:21









      BjosveBjosve

      162




      162




















          1 Answer
          1






          active

          oldest

          votes


















          0














          You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






          share|improve this answer






















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f330074%2ffoward-ports-with-iptables-nat-rules%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






            share|improve this answer



























              0














              You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






              share|improve this answer

























                0












                0








                0







                You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






                share|improve this answer













                You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 13 '16 at 15:13









                supriadysupriady

                146211




                146211



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f330074%2ffoward-ports-with-iptables-nat-rules%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Mobil Contents History Mobil brands Former Mobil brands Lukoil transaction Mobil UK Mobil Australia Mobil New Zealand Mobil Greece Mobil in Japan Mobil in Canada Mobil Egypt See also References External links Navigation menuwww.mobil.com"Mobil Corporation"the original"Our Houston campus""Business & Finance: Socony-Vacuum Corp.""Popular Mechanics""Lubrite Technologies""Exxon Mobil campus 'clearly happening'""Toledo Blade - Google News Archive Search""The Lion and the Moose - How 2 Executives Pulled off the Biggest Merger Ever""ExxonMobil Press Release""Lubricants""Archived copy"the original"Mobil 1™ and Mobil Super™ motor oil and synthetic motor oil - Mobil™ Motor Oils""Mobil Delvac""Mobil Industrial website""The State of Competition in Gasoline Marketing: The Effects of Refiner Operations at Retail""Mobil Travel Guide to become Forbes Travel Guide""Hotel Rankings: Forbes Merges with Mobil"the original"Jamieson oil industry history""Mobil news""Caltex pumps for control""Watchdog blocks Caltex bid""Exxon Mobil sells service station network""Mobil Oil New Zealand Limited is New Zealand's oldest oil company, with predecessor companies having first established a presence in the country in 1896""ExxonMobil subsidiaries have a business history in New Zealand stretching back more than 120 years. We are involved in petroleum refining and distribution and the marketing of fuels, lubricants and chemical products""Archived copy"the original"Exxon Mobil to Sell Its Japanese Arm for $3.9 Billion""Gas station merger will end Esso and Mobil's long run in Japan""Esso moves to affiliate itself with PC Optimum, no longer Aeroplan, in loyalty point switch""Mobil brand of gas stations to launch in Canada after deal for 213 Loblaws-owned locations""Mobil Nears Completion of Rebranding 200 Loblaw Gas Stations""Learn about ExxonMobil's operations in Egypt""Petrol and Diesel Service Stations in Egypt - Mobil"Official websiteExxon Mobil corporate websiteMobil Industrial official websiteeeeeeeeDA04275022275790-40000 0001 0860 5061n82045453134887257134887257

                    Image
                    Aera EnergyEssoEsso AustraliaExxonExxon NeftegasHumble OilImperial OilMagnolia Petroleum CompanyMobilMobil Producing NigeriaPetronSeaRiver MaritimeSuperior Oil CompanySyncrudeVacuum Oil CompanyXTO EnergyBaton Rouge RefineryBaytown RefineryMilford HavenExxon Building (New York)Fawley RefineryImperial Oil BuildingMossmorranNanticoke Refinery2010 ExxonMobil oil spill2010 Port Arthur oil spill2013 Mayflower oil spill Exxon Valdez oil spillGreenpoint oil spillSS Atlantic Empress SS Esso Brussels Colony Shale Oil ProjectEast-Prinovozemelsky fieldGoose Creek Oil FieldKearl Oil Sands ProjectKizomba deepwater projectOrmen LangePembina oil fieldPrudhoe Bay Oil FieldSable Offshore Energy ProjectSakhalin-ITengiz FieldTern oilfieldTuapse fieldWest Qurna FieldNational OilSasolSparSpar Express759 Store7-ElevenCircle KCUDaily YamazakiFamilyMartGS25LawsonMinistopParknShopPoplarSparStorywayVanGOemartSparampmBuy the WayBP ConnectCircle K SunkusDaily StopOn the Run7-ElevenBargain BoozeBest-OneBP ConnectB
                    Read more

                    Frič See also Navigation menuinternal link

                    Image
                    SurnamesCzech-language surnames ‹ The template Infobox surname is being considered for merging. › Frič Origin Language(s) Czechized German (eastern Middle German dialects and Alemannic German) - Thuringian, Upper Saxon, Low Lusatian, Silesian Meaning derived from German: Friedrich Other names Variant(s) Fritsch, Fritzsch, Frycz, Fricz, Fryczyński, Frietsch, Fritsche, Fritzsche; Fritschi (Alemannic), Fritz, Fritze, Fritzel, Fritzl, Fritzke, Fritzen Frič is a Czechized German surname. Notable people with the surname include: Alberto Vojtěch Frič, Czech botanist Antonín Jan Frič (Fritsch) , Czech paleontologist Jaroslav Erik Frič, Czech poet Martin Frič, Czech film director, screenwriter and actor See also Fričovce (Hungarian: Frics ) .mw-parser-output table.dmboxclear:both;margin:0.9em 1em;border-top:1px solid #ccc;border-bottom:1px solid #ccc;background-color:transparent Surname list This page lists people with the surname Frič . If an internal link intending to refer to a specifi
                    Read more

                    Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

                    Image
                    Apollo command module space walk? prime numbers and expressing non-prime numbers Can a non-EU citizen traveling with me come with me through the EU passport line? Extract all GPU name, model and GPU ram How to deal with a team lead who never gives me credit? Why was the term "discrete" used in discrete logarithm? Why do we bend a book to keep it straight? When do you get frequent flier miles - when you buy, or when you fly? How come Sam didn't become Lord of Horn Hill? At the end of Thor: Ragnarok why don't the Asgardians turn and head for the Bifrost as per their original plan? Is it true that "carbohydrates are of no use for the basal metabolic need"? Using et al. for a last / senior author rather than for a first author How to tell that you are a giant? How to react to hostile behavior from a senior developer? String `!23` is replaced with `docker` in command line How to find out what spells would be useless to a blind NPC sp
                    Read more