iptables redirect local cennections - centos

I used
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8085
to redirect all http requests to jboss server on port 8085. This works fine if packets come from outside.
If I try to open from the same machine it doesnt work. Telnet gives connection refused.
How do I redirect local connections?
Working on centos, kernel 2.6.18 x64

local generated packets does not income on eth0.
you have to do this:
iptables -t nat -A OUTPUT --src 0/0 --dst 127.0.0.1. -p tcp --dport 80 -j REDIRECT --to-ports 8085
and
To redirect locally generated packets, you must have the kernel option CONFIG_IP_NF_NAT_LOCAL set to Y
from: http://wiki.debian.org/Firewalls-local-port-redirection

Also to allow forward just run the command
sysctl -w net.ipv4.ip_forward=1

Related

Connection to server java.net.SocketException: Socket closed

I'm trying to connect to my google vps server, but constantly getting error :
java.net.SocketTimeoutException: timeout
java.net.SocketException: Socket closed
I've created system service on my server, which listens on the port 8080. I've forwarded the default http traffic to port 8080 and made sure ports 80 & 8080 are open:
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
I've also saved the iptable rules :
sudo apt-get install iptables-persistent
I've checked if the service actually listens on the port by sudo netstat -tunlp:
tcp6 0 0 :::8080 :::* LISTEN 5789/java -> it does
This is my retrofitBuilder in app, which is trying to connect to server with standard http port :
return Retrofit.Builder()
.baseUrl("http://34.118.22.134/")
.addConverterFactory(MoshiConverterFactory.create())
.build()
.create()
}
When testing the service locally, it works as expected,also the service on the servers works fine.
When I do sudo ss -ltnp, I see that port 80 is not in "listening state", only port 8080 and several others are. I dont want to use uwf to enable it because that will disrupt the SSH connection.
The postman can't reach server as well and it's throwing 500-internal server error.
I do not manipulate sockets in code in any way.

Is there a way to change local port bound using iptables?

Sorry, I'm a noob in iptables.
I have a VPN app which binds on local port 1080, while it goes to destination port 1194 (openvpn). The app does not support privileged port binding (which needs root, of which I have). I want the app to bind on local port 25. I have browsed Google and the answer seems to be iptables. I have seen many posts, of which many say the SNAT target is the one I should use.
I have tried this code:
iptables -I POSTROUTING -o wlan0 -t nat -p tcp --destination 195.123.216.159 -m tcp --dport 1194 -j SNAT --to-source 192.168.43.239:25
And these:
iptables -I FORWARD -p tcp -d 192.168.43.239 -m tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.43.239 -m tcp --sport 25 -j ACCEPT
iptables -I OUTPUT -o wlan0 -p tcp -m tcp --sport 25 -j ACCEPT
iptables -I INPUT -i wlan0 -p tcp -m tcp --dport 25 -j ACCEPT
What I want is to make the output to be something like this when I run the netstat command:
tcp 0 0 192.168.43.239:25 195.123.216.159:1194 ESTABLISHED
But instead, after running all the codes, the output to netstat becomes this:
tcp 0 0 192.168.43.239:1080 195.123.216.159:5000 ESTABLISHED
Is it impossible to change binding port using iptables? Please help me to understand the concepts of networking.
Turns out iptables was just doing its job correctly. Translated packets turn out to not be tracked by netstat. I was lost and completely didnt understand that iptables doesnt alter ip v6 traffic of which the app was using. And the forward rules where not necessary since the chain policy was to accept the packets.

How to allow incoming connection on a particular port from specific IP

I am running mongodb in a docker container with 27017 port exposed with host to allow remote incoming connection. I want to block incoming connection on this port except a particular IP. I tried with iptables but it is not working. Maybe because of the docker service for which iptables commands need to be modified.
However I used the following commands:
myserver>iptables -I INPUT -p tcp -s 10.10.4.232 --dport 27017 -j ACCEPT
myserver>iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 27017 -j DROP
myserver>service iptables save
Then tried the following to check
mylocal>telnet myserver 27017
It is connected. So iptables is not working.
How do I do it?
I am using centos 6.8 and running mongodb 10 in docker container.
First, enable the source IP you wish to connect:
iptables -A INPUT -p tcp --dport 27017 -s 10.10.4.232 -j ACCEPT
Then DROP all the rest:
iptables -A INPUT -p tcp --dport 27017 -j DROP

Redirect port 443 (https) to IP using iptables

I've tried for some hours to do this simple job, but it is not so simple like you think.
I wanted to redirect every request for 443 and 80 port to a webserver , in my example http://127.0.0.1:80
Port 80 worked without any problems, but 443 port tried me a lot of time...
I guess you've tried already to run the following command:
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:80
But this is wrong, because the port 443 cannot be redirected to other ports than 443.
The solution is:
Use the following command:
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:443
Then enable https for apache.
If you are using CentOS use this tutorial - http://wiki.centos.org/HowTos/Https
Good luck.

Packet Filtering and Forwarding

Can we filter all the packets coming to Host1:Port_A from *:Port_B and forward them to say Host1:Port_C.
I want to forward all the packets coming from port 9875 of any host at port 22 of my machine to port 5432 of my machine. What should be iptable rules corresponding to this ?
Try this one:
iptables -t nat -A PREROUTING -p tcp --source-port 9876 --destination-port 22 -j DNAT --to-destination 192.168.1.1:5432
Don't forget to change address in destination :)