IPTables - Port to another ip & port (from the inside)
Solution 1
I finally found how-to. First, I had to add -i eth1
to my "outside" rule (eth1 is my WAN connection). I also needed to add two others rules. Here in the end what I came with :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to 10.32.25.2:80
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 10.32.25.2:80
iptables -t nat -A POSTROUTING -p tcp -d 10.32.25.2 --dport 80 -j MASQUERADE
Solution 2
You also forgot to mention that package forwarding should be enabled to be able to perform destination NAT. By default, it's usually off, so iptables rules will not work. It can be enabled by issuing:
echo 1 > /proc/sys/net/ipv4/ip_forward
Solution 3
First allow forwarding with
echo 1 > /proc/sys/net/ipv4/ip_forward
Then set iptable rules with
IF=eth1
PORT_FROM=8080
PORT_TO=80
DEST=10.32.25.2
iptables -t nat -A PREROUTING -i $IF -p tcp --dport $PORT_FROM -j DNAT --to $DEST:$PORT_TO
iptables -t nat -A POSTROUTING -p tcp -d $DEST --dport $PORT_TO -j MASQUERADE
You can put these lines into /etc/rc.local
for example. Note: since Debian jessie make it executable and enabled the rc.local service via
systemctl enable rc-local.service
David Bélanger
I am a programmer working for a company in Montreal. I know HTML, PHP, CSS, MySQL (SQL), jQuery, Javascript, XML, VB.net, ASP
Updated on September 18, 2022Comments
-
David Bélanger almost 2 years
I currently have a NAS box running under port 80. To access the NAS from the outside, I mapped the port 8080 to port 80 on the NAS as follow:
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.32.25.2:80
This is working like a charm. However, this is working only if I am accessing the website from the outside of the network (at work, at diffrent house, etc). So when I type in
mywebsite.com:8080
, IPTables do the job correctly and everything is working fine.Now, the problem I have is, how can I redirect this port from the inside of the network ? My domain name
mywebsite.com
point to my router (my linux server) from the inside (10.32.25.1) but I want to redirect port 8080 to port 80 on 10.32.25.2 from the inside.Any clue?
Edit #1
Attempting to help facilitate this question I put this diagram together. Please feel free to update if it's incorrect or misrepresenting what you're looking for.
iptables | .---------------. .-,( ),-. v port 80 | .-( )-. port 8080________ | | ( internet )------------>[_...__...°]------------->| NAS | '-( ).-' 10.32.25.2 ^ 10.32.25.1 | | '-.( ).-' | | | | '---------------' | | __ _ [__]|=| /::/|_|
-
David Bélanger about 11 years@slm Exactly. Nothing happen on 10.32.25.2:8080 because the server is on port 80. From the outside, the NAT redirect from port 8080 to port 80 on the specified IP (10.32.25.2). NET -> NAT:8080 -> 10.32.25.2:80. I need the rule from the inside and I don't know what to put there.
-
David Bélanger about 11 years@slm Yes, everything is fine and working. I just want to redirect port 10.32.25.1:8080 to 10.32.25.2:80 from the internal network.
-
Rahul Patil about 11 yearsalso mention interface like
eth0 10.32.25.2
, so that we can able to write iptables use based on inbound interface -
Rahul Patil about 11 yearsOpps sorry, I just saw.. you already solve the issue..
-
-
machineaddict almost 10 yearsThe second rule is not necessary, as the first rule already contains that...
-
tu-Reinstate Monica-dor duh about 9 yearsThe first rule restricts the preroute only if it's arriving on interface eth1. The second rule is more general as it applies to all interfaces. Beware loops!
-
ColinM over 8 yearsThank you so much for this, I would have been pulling my hair out for hours!