iptables port forwarding only for a certain range of IP

iptables port-forwarding lxc filtering

9,182

The -s flags selects only that traffic that matches the host or network specified. If you want to match all traffic except that, use

! -s 10.0.3.0/24

and don't forget to escape that ! from the shell with either quotes or a backslash.

9,182

rmonjo

Updated on September 18, 2022

Comments

rmonjo over 1 year
I'm using LXC containers. Each one of my containers have an ip address in 10.0.3.0/24. I want the packets that come into my host on a certain port to be redirected to a container so I use this rule:
```
iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000
```
This allow to do (outside packet)# --> HOST:3000 --> CONTAINER:3000

It works great. However, when I'm inside a container (not the one used in this previous rule), and I want to access another host (say HOST2) on port 3000, my packet is being redirected to my container. It does:

(inside container packet) # --> HOST2:3000 --> HOST:3000 --> CONTAINER:3000

instead of (inside container packet) # --> HOST2:3000 --> HOST:3000 --> HOST2:3000

I tried to change my rule above to
```
iptables -t nat -A PREROUTING -s 10.0.3.0/24 -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000
```
in order to say: if packet come from a container, don't apply the rule, however this doesn't work. Any help would be great, Regards

Here are my iptables rules:
```
Chain PREROUTING (policy ACCEPT 154 packets, 29925 bytes)
pkts bytes target     prot opt in     out     source               destination         
4   240 DNAT       tcp  --  *      *       10.0.3.0/24          0.0.0.0/0            tcp      dpt:3000 to:10.0.3.5:3000
3   180 DNAT       tcp  --  *      *       10.0.3.0/24          0.0.0.0/0            tcp   dpt:3001 to:10.0.3.6:3001

Chain INPUT (policy ACCEPT 126 packets, 28400 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 25 packets, 1900 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 29 packets, 2140 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  1525 MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24
```
By doesn't work I mean that when I curl 3000 any hosts from within a container, I'm redirected to my container:3000
- MadHatter over 10 years
  
  Can we see the whole of your nat table, with iptables -t nat -L -n -v (edit the output into your question)? Also, what do you mean by "this doesn't work".
- rmonjo over 10 years
  
  Thx, I updated my question
- rmonjo over 10 years
  
  Hum I not using the -s option correctly. It says apply the rule only for 10.0.3.0/24. How do I say apply the rule expect for ?
- MadHatter over 10 years
  
  Sorry, I can't understand that last question. The -s flag says the rule applies to traffic from a particular range of IP addresses (-s = --source), and it looks like it's working fine, to me.
- rmonjo over 10 years
  
  my -s flag is set to 10.0.3.0/24 which is containers ip address. But I want this rule to be applied to everyone but not to the containers. My -s flag should be something like -s everything except 10.0.3.0/24
- MadHatter over 10 years
  
  Try ! -s 10.0.3.0/24. You may need to protect the ! from the shell with a backslash, or by quoting it.
- MadHatter over 10 years
  
  OK, I'll post that as an answer so you can accept it, and the question will be "done and dusted".