iptables port forwarding only for a certain range of IP
The -s
flags selects only that traffic that matches the host or network specified. If you want to match all traffic except that, use
! -s 10.0.3.0/24
and don't forget to escape that !
from the shell with either quotes or a backslash.
Related videos on Youtube
rmonjo
Updated on September 18, 2022Comments
-
rmonjo over 1 year
I'm using LXC containers. Each one of my containers have an ip address in 10.0.3.0/24. I want the packets that come into my host on a certain port to be redirected to a container so I use this rule:
iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000
This allow to do (outside packet)# --> HOST:3000 --> CONTAINER:3000
It works great. However, when I'm inside a container (not the one used in this previous rule), and I want to access another host (say HOST2) on port 3000, my packet is being redirected to my container. It does:
(inside container packet) # --> HOST2:3000 --> HOST:3000 --> CONTAINER:3000
instead of (inside container packet) # --> HOST2:3000 --> HOST:3000 --> HOST2:3000
I tried to change my rule above to
iptables -t nat -A PREROUTING -s 10.0.3.0/24 -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000
in order to say: if packet come from a container, don't apply the rule, however this doesn't work. Any help would be great, Regards
Here are my iptables rules:
Chain PREROUTING (policy ACCEPT 154 packets, 29925 bytes) pkts bytes target prot opt in out source destination 4 240 DNAT tcp -- * * 10.0.3.0/24 0.0.0.0/0 tcp dpt:3000 to:10.0.3.5:3000 3 180 DNAT tcp -- * * 10.0.3.0/24 0.0.0.0/0 tcp dpt:3001 to:10.0.3.6:3001 Chain INPUT (policy ACCEPT 126 packets, 28400 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 25 packets, 1900 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 29 packets, 2140 bytes) pkts bytes target prot opt in out source destination 28 1525 MASQUERADE all -- * * 10.0.3.0/24 !10.0.3.0/24
By doesn't work I mean that when I curl 3000 any hosts from within a container, I'm redirected to my container:3000
-
MadHatter over 10 yearsCan we see the whole of your nat table, with
iptables -t nat -L -n -v
(edit the output into your question)? Also, what do you mean by "this doesn't work". -
rmonjo over 10 yearsThx, I updated my question
-
rmonjo over 10 yearsHum I not using the
-s
option correctly. It says apply the rule only for 10.0.3.0/24. How do I say apply the rule expect for ? -
MadHatter over 10 yearsSorry, I can't understand that last question. The
-s
flag says the rule applies to traffic from a particular range of IP addresses (-s
=--source
), and it looks like it's working fine, to me. -
rmonjo over 10 yearsmy
-s
flag is set to10.0.3.0/24
which is containers ip address. But I want this rule to be applied to everyone but not to the containers. My-s
flag should be something like-s everything except 10.0.3.0/24
-
MadHatter over 10 yearsTry
! -s 10.0.3.0/24
. You may need to protect the!
from the shell with a backslash, or by quoting it. -
MadHatter over 10 yearsOK, I'll post that as an answer so you can accept it, and the question will be "done and dusted".
-