IPTABLES Redirect a port to another IP

iptables ip redirect

12,005

Welcome to Serverfault.

If I understand correctly, you are trying to expose port 25 of 10.0.10.172 on the public address 167.114.185.238, which is owned by server 10.0.9.6

You have the PREROUTING right:

iptables -t nat -A PREROUTING -d 167.114.185.238 -p tcp --dport 25 -j DNAT --to 10.0.9.6

But you also need a corresponding POSTROUTING:

iptables -t nat -A POSTROUTING -d 10.0.9.6 -j SNAT --to 10.0.10.172

You also mentioned the following FORWARD rule, which is correct:

iptables -A FORWARD -d 10.0.9.6 -p tcp --dport 25 -j ACCEPT

But you only need it if you have any DROP rule or policy (-P) on the FORWARD table, which is not there by default. If you have any DROP rule, then you need to place that ACCEPT before the DROP rule, otherwise it will have no effect.

Finally, you also need to enable IPv4 forwarding:

sysctl -w net.ipv4.ip_forward=1

The following is not really needed, because the connections towards port 25 are originating outside your server and they already contain your public IP 167.114.185.238 as the destination:

iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE

If this answers your question, make sure to click on the checkmark button ✔ above on the left side.

12,005

Luis

Updated on September 18, 2022

Comments

Luis almost 2 years

I have tried several post to configure this redirect but is not working, this is what I need

I am receiving packets on port 8080 and I want to redirect the packets to another IP in the same server, why? because for some reason it is not sending this to the internet.

Let me give more detail.

Server A is sending port 2525 to server B but they are not in the same network. I can see the packets coming into Server B but they are not going out to the Internet.

Server B has 2 IP, one is a VPN tun1 connected to Server A and the other IP has Internet access. What I need, or I think I need, is to redirect traffic from the tun1 to the IP that has internet access, I tried different configurations but it's not working.

Any help will be appreciated.
- Aaron almost 9 years
  
  Do you have a corresponding fw rule that would allow that port on the tun1 IP? As a test (only testing), if you were to tell the app to also listen on that IP on tun1, on that port, does it work?
- Luis almost 9 years
  
  HiServer A is running an email server and is sending port 25 to Server B, I wan server B to act like if the email server is there, I can see the traffic coming from server A to server B using the VPN but Server B is doing nothing.
- Luis almost 9 years
  
  This is what I have iptables -A FORWARD -d 10.0.9.6 -i venet0:0 -p tcp -m tcp --dport 25 -j ACCEPT iptables -t nat -A PREROUTING -d 167.114.185.238 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.9.6 iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE and I see this in my firewall on Server B Sep 21 11:41:55 cosiab kernel: [1890626.882859] INPUT TCP IN=tun1 OUT= MAC= SRC=10.0.10.172 DST=10.0.9.6 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=65148 DF PROTO=TCP SPT=53453 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
- Aaron almost 9 years
  
  And when you do a tcpdump on tun1, do you see packets reaching that interface? If you do a tcpdump on Server A, do you see packets being forwarded to server B?
- Luis almost 9 years
  
  Hi, I see packets coming to Server B Sep 21 11:41:55 cosiab kernel: [1890626.882859] INPUT TCP IN=tun1 OUT= MAC= SRC=10.0.10.172 DST=10.0.9.6 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=65148 DF PROTO=TCP SPT=53453 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 The IP 10.0.9.6 is on Server B
- Aaron almost 9 years
  
  and you see server B responding to the correct address?
- Luis almost 9 years
  
  Server B gets the packets but is not sending the packets to Internet, for example if I do telnet mail20.ixwebhosting.com 25 Server B gets the packet but is not sending the request to Internet.
Luis almost 9 years

Hi Thank you for your answer, the Server A 10.0.10.172 is sending traffic using 10.0.9.6 witch is a VPN connection, this ip is on Server B and Server B has the ip 167.114.185.238, I will try your instrucctions and I will let you know if it works, thank you again.
Luis almost 9 years

Hi, Unfortunately it didn't work, I see traffic coming to Server B on the ip 10.0.9.6 on my IPTABLES log. Sep 22 07:15:14 cosiab kernel: [1961026.212757] INPUT TCP IN=tun1 OUT= MAC= SRC=10.0.10.172 DST=10.0.9.6 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37673 DF PROTO=TCP SPT=56081 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Luis almost 9 years

these are my lines for IPTABLES. sysctl net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -d 167.114.185.238 -p tcp --dport 25 -j DNAT --to 10.0.9.6 iptables -t nat -A POSTROUTING -d 10.0.9.6 -j SNAT --to 10.0.10.172 iptables -A FORWARD -d 10.0.9.6 -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp --dport 25 -j LOG --log-prefix ' OUTPUT TCP ' --log-level 4 iptables -A INPUT -p tcp --dport 25 -j LOG --log-prefix ' INPUT TCP ' --log-level 4 . I will apreciate any comment.