Make CentOS 7.x a port forwarding NAT device
Solution 1
Anyway, you are missing a FORWARD RULE
iptables -A FORWARD -i ens160 -o ens192 -p tcp -m tcp -d 192.168.30.37 -m state --state NEW -j ACCEPT
You need to insert the above rules, before this:
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Solution 2
In RedHat Entrprise Linux 7.0 (the "upstream" of CentOS 7.0) the intended interaction with iptables
is through firewalld
. Manually modifying the iptables
configuration, while possible, is not the intended method if interaction.
If you do want to modify the iptables
configuration directly you might want to have a look at documentation about iptables
. You're going down the right path but, for example, the -i
and -o
arguments are meant to denote ingress and egress interfaces (eth0
, etc), not hostnames. It looks like you just need some background on how iptables
works.
Related videos on Youtube
Yuan Chen
Updated on September 18, 2022Comments
-
Yuan Chen over 1 year
I would like to make CentOS a port forwarding NAT machine using iptables. This is the first time I've tried this and I think i might need a little help.
This is the configuration i'm trying to achieve. I'm trying to make a remote desktop connection through the CentOS machine on port 80 and have CentOS connect to the server on port 80.
192.168.0.120 is the client that should connect to port 80 on 192.168.30.37 by connecting to 192.168.0.100 (CentOS) on port 80.
- CentOS ens160 is 192.168.0.100/24
- CentOS ens192 is 192.168.30.254/24
- CentOS ens224 is 192.168.40.254/24
What I tried so far:
- Disabled SELINUX
Enabled IPv4 forwarding in /etc/sysctl.conf
/etc/sysctl.conf net.ipv4.ip_forward = 1
/etc/systemconfig/iptables is
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12:944] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i ens160 -o ens192 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ens192 -o ens160 -j ACCEPT -A FORWARD -i ens160 -o ens224 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ens224 -o ens160 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [4:272] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i ens160 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.30.37:80 -A POSTROUTING -o ens160 -j MASQUERADE -A POSTROUTING -d 192.168.0.100/32 -j MASQUERADE COMMIT
So is there anything wrong with my iptables rules? Or is there something I might be missing?
-
Yuan Chen over 9 yearsThanks, It works. I have tried this before but I place it after the reject.