Sorry, I'm a noob in iptables.
I have a VPN app which binds on local port 1080, while it goes to destination port 1194 (openvpn). The app does not support privileged port binding (which needs root, of which I have). I want the app to bind on local port 25. I have browsed Google and the answer seems to be iptables. I have seen many posts, of which many say the SNAT target is the one I should use.
I have tried this code:
iptables -I POSTROUTING -o wlan0 -t nat -p tcp --destination 195.123.216.159 -m tcp --dport 1194 -j SNAT --to-source 192.168.43.239:25
And these:
iptables -I FORWARD -p tcp -d 192.168.43.239 -m tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.43.239 -m tcp --sport 25 -j ACCEPT
iptables -I OUTPUT -o wlan0 -p tcp -m tcp --sport 25 -j ACCEPT
iptables -I INPUT -i wlan0 -p tcp -m tcp --dport 25 -j ACCEPT
What I want is to make the output to be something like this when I run the netstat command:
tcp 0 0 192.168.43.239:25 195.123.216.159:1194 ESTABLISHED
But instead, after running all the codes, the output to netstat becomes this:
tcp 0 0 192.168.43.239:1080 195.123.216.159:5000 ESTABLISHED
Is it impossible to change binding port using iptables? Please help me to understand the concepts of networking.
Turns out iptables was just doing its job correctly. Translated packets turn out to not be tracked by netstat. I was lost and completely didnt understand that iptables doesnt alter ip v6 traffic of which the app was using. And the forward rules where not necessary since the chain policy was to accept the packets.
Related
I have a machine IP1 that sends packets to port 54321 of IP2. I want to redirect this requests to a port 8080 of IP1 before these packets leave machine IP1 and go to IP2. This means I need to filter outcoming traffic.
I tried answers from related questions but this does not help:
iptables -t nat -A OUTPUT -p tcp -d IP1 --dport 54321 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 54321 -j DNAT --to-destination 127.0.0.1:8080
Reading definitions of DNAT and REDIRECT still leave me confused what should work here.
Edit:
iptables -t nat -A OUTPUT -p tcp --dport 54321 -j DNAT --to-destination 127.0.0.1:8080
On CentOS 7 i Use following commands to drop some port and allow for one IP :
iptables -A INPUT -p tcp --dport 2001 -s 1.1.1.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 2001 -j DROP
service iptables save
and everything work fine.
But when i want add another ip to allow with this command it doesn't work for second IP.
iptables -A INPUT -p tcp --dport 2001 -s 2.2.2.2 -j ACCEPT
service iptables save
** Solved **
I use -I Flag This would insert your rule on first position of inputs rule.
iptables -I INPUT -p tcp --dport 2001 -s 2.2.2.2 -j ACCEPT
I am trying to setup iptables on a GoDaddy Virtual Host using the following:
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v
## open port ssh tcp port 22 ##
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
## open dns server ports for all ##
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
## open http/https (Apache) server port to all ##
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
## open tcp port 143 (imap) for all ##
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
Every time I start the iptables service, none of the websites on this server are functioning and I cant access Plesk.
If I service iptables stop, it all works again. Is there a simple syntax error here?
Are you running /etc/init.d/iptables save to save your rules? If you are on CentOS 6 you will need to run yum install policycoreutils prior to /etc/init.d/iptables save or you will get an error. Once you save the rules you need to restart iptables.
Also, you need to add a rule for port 8443 to be able to get to Plesk.
Can we filter all the packets coming to Host1:Port_A from *:Port_B and forward them to say Host1:Port_C.
I want to forward all the packets coming from port 9875 of any host at port 22 of my machine to port 5432 of my machine. What should be iptable rules corresponding to this ?
Try this one:
iptables -t nat -A PREROUTING -p tcp --source-port 9876 --destination-port 22 -j DNAT --to-destination 192.168.1.1:5432
Don't forget to change address in destination :)
I used
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8085
to redirect all http requests to jboss server on port 8085. This works fine if packets come from outside.
If I try to open from the same machine it doesnt work. Telnet gives connection refused.
How do I redirect local connections?
Working on centos, kernel 2.6.18 x64
local generated packets does not income on eth0.
you have to do this:
iptables -t nat -A OUTPUT --src 0/0 --dst 127.0.0.1. -p tcp --dport 80 -j REDIRECT --to-ports 8085
and
To redirect locally generated packets, you must have the kernel option CONFIG_IP_NF_NAT_LOCAL set to Y
from: http://wiki.debian.org/Firewalls-local-port-redirection
Also to allow forward just run the command
sysctl -w net.ipv4.ip_forward=1