How to do port forwarding/redirecting on Debian?
Solution 1
iptables -A PREROUTING -t nat -i eth3 -p tcp --dport 1234 -j DNAT --to-destination 192.168.57.25:80
iptables -A FORWARD -p tcp -d 192.168.57.25 --dport 80 -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.57.25 -o eth3 -j MASQUERADE
The first one specifies that all incoming tcp connections to port 1234 should be sent to port 80 of the internal machine 192.168.57.25. This rule alone doesn’t complete the job because iptables denyes all incoming connections. Then we accept the incoming connection to port 1234 from eth3 which connect to the Internet with the publich IP by the second rule. We add the second rule in FORWARD chain to allow forwarding the packets to port 80 of 192.168.57.25.
EDIT: POSTROUTING added.
To keep track of the connection. otherwise the outside host would see the Internal IP 192.168.57.25 which he has no clue of.
EDIT2: Just got the hint that it should be --to-destination instead of --to (sry)
Solution 2
Thanks to Daywalker and Dánjal Salberg Adlersson. After hours of swearing, port forwarding with iptables finally works. (tested on Debian)
bash-script
#!/bin/bash
IPTBL=/sbin/iptables
IF_IN=eth0
PORT_IN=40022
IP_OUT=172.16.93.128
PORT_OUT=22
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTBL -A PREROUTING -t nat -i $IF_IN -p tcp --dport $PORT_IN -j DNAT --to-destination ${IP_OUT}:${PORT_OUT}
$IPTBL -A FORWARD -p tcp -d $IP_OUT --dport $PORT_OUT -j ACCEPT
$IPTBL -A POSTROUTING -t nat -j MASQUERADE
Related videos on Youtube
Dánjal Salberg Adlersson
Updated on September 18, 2022Comments
-
Dánjal Salberg Adlersson almost 2 years
I have two questions.
Question 1: My debian machine has interface eth3 with ip 192.168.57.28. If someone tries to connect to 192.168.57.28:1234 how do I redirect the request to another machine: 192.168.57.25:80?
Question 2: If my debian machine has two interfaces: eth3 with 192.168.57.28 and ppp0 with some dynamic IP and someone tries to connect via ppp0 on port 1234, how do I redirect the request to 192.168.57.25:80?
I have tried this:
$ iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.57.25:80 $ echo 1 > /proc/sys/net/ipv4/ip_forward
but it doesn't work.
-
Dánjal Salberg Adlersson almost 11 yearsI have tried your suggestion, but it does not work. I can browse to 192.168.57.25 and the webpage returns, but browsing to 192.168.57.28:1234 does not work.
-
Daywalker almost 11 years@DánjalSalbergAdlersson Updated my Post (missed something. sry.)
-
Dánjal Salberg Adlersson almost 11 yearsI tried your suggestion, but it did not work. Then I change to last one to this: iptables -A POSTROUTING -t nat -j MASQUERADE, then it worked!
-
edwardsmarkf over 5 yearsis there any reason why "-s 192.168.57.25" was omitted from the POSTROUTING line?
-
edwardsmarkf over 5 yearsalso " -o eth3" omitted
-
edwardsmarkf over 5 yearsi see the -s and -o on the POSTROUTING line seems to be optional. any thoughts on using SSL? i asked the question here, referencing your script: superuser.com/questions/1387902/…
-
user3728501 about 4 yearsDoes this not work in 2020? Error:
iptables v1.8.2 (nf_tables): unknown option "--to-destination"