Foward ports with iptables NAT rules?Port Mirroring using iptables - copy all traffic among nginx on :80 and Apache on :8080iptables - Redirect web traffic to LAN ServerAlter DST port on bridged trafficFreeBSD load balancer implementationiptables rule to snat port and ip on AWS instanceiptables - 2 Internetprovider - routingImplicit Inverses for iptables NAT RulesLocal port forwarding using iptables is not workingDROP or REJECT packets from PREROUTING NAT table in iptablesPort forwarding over OpenVpn

School performs periodic password audits. Is my password compromised?

How do I increase the number of TTY consoles?

What would be the most expensive material to an intergalactic society?

What is Tony Stark injecting into himself in Iron Man 3?

Should we avoid writing fiction about historical events without extensive research?

"If + would" conditional in present perfect tense

Translation of 答えを知っている人はいませんでした

Can one live in the U.S. and not use a credit card?

Would those living in a "perfect society" not understand satire

How to copy the rest of lines of a file to another file

Use Mercury as quenching liquid for swords?

How to educate team mate to take screenshots for bugs with out unwanted stuff

Why do we say 'Pairwise Disjoint', rather than 'Disjoint'?

Writing text next to a table

Are these two graphs isomorphic? Why/Why not?

How do we create new idioms and use them in a novel?

Is there a way to make cleveref distinguish two environments with the same counter?

Under what conditions can the right to remain silent be revoked in the USA?

Create chunks from an array

Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?

Locked Away- What am I?

Why does Central Limit Theorem break down in my simulation?

Help! My Character is too much for her story!

PTIJ: Who was the sixth set of priestly clothes for?



Foward ports with iptables NAT rules?


Port Mirroring using iptables - copy all traffic among nginx on :80 and Apache on :8080iptables - Redirect web traffic to LAN ServerAlter DST port on bridged trafficFreeBSD load balancer implementationiptables rule to snat port and ip on AWS instanceiptables - 2 Internetprovider - routingImplicit Inverses for iptables NAT RulesLocal port forwarding using iptables is not workingDROP or REJECT packets from PREROUTING NAT table in iptablesPort forwarding over OpenVpn













0















I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



Example picture



So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



I've tried the following on the "NAT server",



Example A - NAT#1 port 4000 to Server Group A

sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

Example B - NAT#2 port 5000 to Server Group B

sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


UPDATE




I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
FW will drop the traffic.




This works, kind of.



sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
sudo firewall-cmd --reload


but not with one zone. As they write in RedHat firewall doc,



A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



So I have to use two zones. Is this possible with two aliases?!?



UPDATE



This worked...



firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





rhel iptables port-forwarding nat







share|improve this question




























    0















    I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



    Example picture



    So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



    I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



    I've tried the following on the "NAT server",



    Example A - NAT#1 port 4000 to Server Group A

    sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
    sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

    Example B - NAT#2 port 5000 to Server Group B

    sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
    sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


    UPDATE




    I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
    FW will drop the traffic.




    This works, kind of.



    sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
    sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
    sudo firewall-cmd --reload


    but not with one zone. As they write in RedHat firewall doc,



    A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



    So I have to use two zones. Is this possible with two aliases?!?



    UPDATE



    This worked...



    firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
    firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
    firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





    rhel iptables port-forwarding nat







    share|improve this question


























      0












      0








      0








      I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



      Example picture



      So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



      I've tried the following on the "NAT server",



      Example A - NAT#1 port 4000 to Server Group A

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

      Example B - NAT#2 port 5000 to Server Group B

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


      UPDATE




      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
      FW will drop the traffic.




      This works, kind of.



      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
      sudo firewall-cmd --reload


      but not with one zone. As they write in RedHat firewall doc,



      A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



      So I have to use two zones. Is this possible with two aliases?!?



      UPDATE



      This worked...



      firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
      firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
      firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





      rhel iptables port-forwarding nat







      share|improve this question
















      I'm trying to forward ports with iptables NAT rules, but it doesn't seem to work.



      Example picture



      So I want traffic from NAT#1 in a specific port range go to a specific server in a server group and traffic from NAT#2 to another server group.



      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the FW will drop the traffic.



      I've tried the following on the "NAT server",



      Example A - NAT#1 port 4000 to Server Group A

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.20 --dport 4000 -j DNAT --to-destination 192.168.1.100
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 192.168.1.10

      Example B - NAT#2 port 5000 to Server Group B

      sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.30 --dport 5000 -j DNAT --to-destination 192.168.1.201
      sudo iptables -t nat -A POSTROUTING -s 192.168.1.201 -j SNAT --to 192.168.1.10


      UPDATE




      I have to use the "NAT server" 192.168.1.10 as SNAT otherwise the
      FW will drop the traffic.




      This works, kind of.



      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.20 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.100'
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 destination address=192.168.1.30 forward-port port=4000-4010 protocol=tcp to-addr=192.168.1.200'
      sudo firewall-cmd --reload


      but not with one zone. As they write in RedHat firewall doc,



      A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.



      So I have to use two zones. Is this possible with two aliases?!?



      UPDATE



      This worked...



      firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp -d "nat_alias" --dport "ext_port" -j DNAT --to-destination "server_ip":"int_port"
      firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m state -p tcp -d "server_ip" --dport "int_port" --state NEW,ESTABLISHED,RELATED -j ACCEPT
      firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -t nat -p tcp -m tcp -s "server_ip" --sport "int_port" -j SNAT --to-source "nat_ip"





      rhel iptables port-forwarding nat




      rhel iptables port-forwarding nat






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 14 mins ago









      Rui F Ribeiro

      41.3k1481140




      41.3k1481140










      asked Dec 13 '16 at 13:21









      BjosveBjosve

      162




      162




















          1 Answer
          1






          active

          oldest

          votes


















          0














          You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






          share|improve this answer






















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f330074%2ffoward-ports-with-iptables-nat-rules%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






            share|improve this answer



























              0














              You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






              share|improve this answer

























                0












                0








                0







                You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.






                share|improve this answer













                You should do NAT/SNAT first after that you use NAT/SNAT ip address to forward port.Maybe you need to separate iptable rules.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 13 '16 at 15:13









                supriadysupriady

                146211




                146211



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f330074%2ffoward-ports-with-iptables-nat-rules%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Creating 100m^2 grid automatically using QGIS?Creating grid constrained within polygon in QGIS?Createing polygon layer from point data using QGIS?Creating vector grid using QGIS?Creating grid polygons from coordinates using R or PythonCreating grid from spatio temporal point data?Creating fields in attributes table using other layers using QGISCreate .shp vector grid in QGISQGIS Creating 4km point grid within polygonsCreate a vector grid over a raster layerVector Grid Creates just one grid

                    Image
                    Pattern match does not work in bash script Mage Armor with Defense fighting style (for Adventurers League bladeslinger) LaTeX closing $ signs makes cursor jump String Manipulation Interpreter Can divisibility rules for digits be generalized to sum of digits I'm planning on buying a laser printer but concerned about the life cycle of toner in the machine What is the offset in a seaplane's hull? How can I make my BBEG immortal short of making them a Lich or Vampire? What are the differences between the usage of 'it' and 'they'? The use of multiple foreign keys on same column in SQL Server How did the USSR manage to innovate in an environment characterized by government censorship and high bureaucracy? Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws) Why Is Death Allowed In the Matrix? Minkowski space Why are 150k or 200k jobs considered good when there are 300k+ births a month? Why do f...
                    Read more

                    Nikolai Prilezhaev Bibliography References External links Navigation menuEarly Russian Organic Chemists and Their Legacy092774english translationRussian Biography

                    19th-century chemists20th-century chemists1877 births1944 deathsRussian chemists RussianO.S.KopossevoNizhny NovgorodMoscoworganic chemistPrilezhaev ReactionepoxidesalkenesperoxyacidsUniversity of WarsawYegor Yegorovich VagnerGeorg WagnerSt. PetersburgPolytechnic in KievUniversity of MinskBelarusian Academy of SciencesAlexei Nikolaevich Bachname reactionSoviet Academy of Sciences Nikolai Alexandrovich Prilezhaev , Russian: Николай Александрович Прилежаев , (Born 15 [O.S. 1877] 27 [1] in Kopossevo near Nizhny Novgorod, died May 26, 1944 in Moscow) was a Russian organic chemist. The Prilezhaev Reaction between epoxides and alkenes to form peroxyacids is named after him. Prilezhaev was the son of a clergyman and studied chemistry at the Theological Seminary in Warsaw (graduated in 1895) and then at the Univ...
                    Read more

                    How to link a C library to an Assembly library on Mac with clangHow do you set, clear, and toggle a single bit?Find (and kill) process locking port 3000 on MacWho is listening on a given TCP port on Mac OS X?How to start PostgreSQL server on Mac OS X?Compile assembler in nasm on mac osHow do I install pip on macOS or OS X?AFNetworking 2.0 “_NSURLSessionTransferSizeUnknown” linking error on Mac OS X 10.8C++ code for testing the Collatz conjecture faster than hand-written assembly - why?How to link a NASM code and GCC in Mac OS X?How to run x86 .asm on macOS Sierra

                    Image
                    Is there enough fresh water in the world to eradicate the drinking water crisis? What is the term when two people sing in harmony, but they aren't singing the same notes? Is there a problem with hiding "forgot password" until it's needed? Why does this part of the Space Shuttle launch pad seem to be floating in air? Hostile work environment after whistle-blowing on coworker and our boss. What do I do? How to prevent YouTube from showing already watched videos? Is there an Impartial Brexit Deal comparison site? Would it be legal for a US State to ban exports of a natural resource? Can somebody explain Brexit in a few child-proof sentences? Latex for-and in equation Is a naturally all "male" species possible? Is there an wasy way to program in Tikz something like the one in the image? How to deal with or prevent idle in the test team? node command while defining a coordinate in TikZ Simulating a probability of 1 of 2^N with less tha...
                    Read more