How to redirect/forward a port locally
Clash Royale CLAN TAG#URR8PPP up vote
1
down vote
favorite
I want to forward port 500 to port 2500 within the same host and the following was working on Lubuntu 16.04, but after rebooting and re-running iptables commands, I can't get it to work:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 –dport 500 -j DNAT –to-destination 192.168.1.10:2500
iptables -A FORWARD -p udp -d 192.168.1.10 –dport 2500 -j ACCEPT
where 192.168.1.10 is the IP of my local host.
To test in one session I run netcat:
nc -u 192.168.1.10:500
and in a 2nd session run:
nc -l -u 500
and in a 3rd session run:
nc -l -u 2500
So I want data I enter in session 1 to be received on session 3, not session 2, which I did have working, but can't get it working again.
I also tried:
iptables -t nat -A PREROUTING -p udp --dport 500 -j REDIRECT --to-port 2500
but packets are still being received on port 500, not 2500.
ufw is disabled and to make sure iptables is working I tried:
iptables -A INPUT -p udp --dport 500 -j DROP
and then packets were not received on port 500 or 2500 as expected.
Port forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
Session output below:
root@mike-TravelMate-8371:~/nat/out# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.10:2500
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p udp -m udp --dport 2500 -j ACCEPT
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 2500 > nc_2500.out &
[1] 29806
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 500 > nc_500.out &
[2] 29810
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# jobs
[1]- Running nohup nc -l -u 2500 > nc_2500.out &
[2]+ Running nohup nc -l -u 500 > nc_500.out &
root@mike-TravelMate-8371:~/nat/out# nc -u 192.168.1.10 500
test forwarding UDP port 500 to 2500
^C
[2]+ Done nohup nc -l -u 500 > nc_500.out
root@mike-TravelMate-8371:~/nat/out# head nc*.out
==> nc_2500.out <==
==> nc_500.out <==
test forwarding UDP port 500 to 2500
root@mike-TravelMate-8371:~/nat/out# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:1e:33:24:98:86 brd ff:ff:ff:ff:ff:ff
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:22:fb:64:bd:42 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic wlp1s0
valid_lft 85651sec preferred_lft 85651sec
inet6 fd58:7f66:569d:5300:c5df:415:6c56:50d6/64 scope global temporary dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fd58:7f66:569d:5300:75d:bbe9:652e:6587/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fe80::e214:14f8:d95c:73a7/64 scope link
valid_lft forever preferred_lft forever
4: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
valid_lft forever preferred_lft forever
inet6 fe80::800:27ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
root@mike-TravelMate-8371:~/nat/out# ip route
default via 192.168.1.1 dev wlp1s0 proto static metric 600
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.10 metric 600
192.168.56.0/24 dev vboxnet0 proto kernel scope link src 192.168.56.1 linkdown
The reason I want to forward ports is that I want to setup VPN between an external server and a guest running in Virtual box. The Vbox guest is using "NAT" network so Vbox has its own port forwarding to forward ports to the VM which has IP 10.0.2.15 so in Vbox the port forwarding rules are:
- TCP Host 2222 to Vbox guest 22
- UDP Host 4500 to Vbox guest 4500
- UDP Host 2500 to Vbox guest 500
The first means I can ssh to guest using "ssh -p 2222 root@192.168.1.10"
The second means I can send UDP packets on 4500, so I can send packets using "nc -u 192.168.1.10 4500" from host and I can see them being received on Vbox guest using "nc -l -u 4500" (the packets are NOT seen if you run "nc -l -u 4500" on the host)
The third is because Vbox will NOT forward reserved ports under 1024 so I cannot forward port 500, so with this rule I can use "nc -u 192.168.1.10 2500" on host and receive UDP packets on Vbox guest using "nc -l -u 500".
So I want to forward ports on UDP 500 on host to port 2500 so these are forwarded by Vbox to port 500 on the guest and this was working, but after rebooting and re-running iptables commands it didn't work and after several hours working on this I cannot figure out what I have done differently.
I have tried setting up iptables (and Vbox) with TCP forwadring and this doesn't work either and I have tried ufw and I have tried forwarding local ports with and without Vbox running and ports are never forwarded.
I have also tried forwarding port to a non-existent IP:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 --dport 500 -j DNAT --to-destination 192.168.1.30:500
iptables -A FORWARD -p udp -d 192.168.1.30 --dport 500 -j ACCEPT
So here IP 192.168.1.30 does not exist but if I run "nc -u 192.168.1.10 500" in one session then I can still receive packets listening on host (IP of 192.168.1.10).
I have tried forwarding TCP port 3222 to port 22 so then I can test without netcat, but this doesn't work
root@mike-TravelMate-8371:~/nat# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p tcp -m tcp --dport 3222 -j DNAT --to-destination 192.168.1.10:22
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p tcp -m tcp --dport 22 -j ACCEPT
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 22
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
Connection closed by foreign host.
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 3222
Trying 192.168.1.10...
telnet: Unable to connect to remote host: Connection refused
root@mike-TravelMate-8371:~/nat#
So here I can reach ssh port directly using port 22, but I can't via 3222 so forwarding is not working.
networking iptables
asked Jun 5 at 9:14
Mike Bounds
514
add a comment |Â
up vote
1
down vote
favorite
I want to forward port 500 to port 2500 within the same host and the following was working on Lubuntu 16.04, but after rebooting and re-running iptables commands, I can't get it to work:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 –dport 500 -j DNAT –to-destination 192.168.1.10:2500
iptables -A FORWARD -p udp -d 192.168.1.10 –dport 2500 -j ACCEPT
where 192.168.1.10 is the IP of my local host.
To test in one session I run netcat:
nc -u 192.168.1.10:500
and in a 2nd session run:
nc -l -u 500
and in a 3rd session run:
nc -l -u 2500
So I want data I enter in session 1 to be received on session 3, not session 2, which I did have working, but can't get it working again.
I also tried:
iptables -t nat -A PREROUTING -p udp --dport 500 -j REDIRECT --to-port 2500
but packets are still being received on port 500, not 2500.
ufw is disabled and to make sure iptables is working I tried:
iptables -A INPUT -p udp --dport 500 -j DROP
and then packets were not received on port 500 or 2500 as expected.
Port forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
Session output below:
root@mike-TravelMate-8371:~/nat/out# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.10:2500
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p udp -m udp --dport 2500 -j ACCEPT
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 2500 > nc_2500.out &
[1] 29806
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 500 > nc_500.out &
[2] 29810
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# jobs
[1]- Running nohup nc -l -u 2500 > nc_2500.out &
[2]+ Running nohup nc -l -u 500 > nc_500.out &
root@mike-TravelMate-8371:~/nat/out# nc -u 192.168.1.10 500
test forwarding UDP port 500 to 2500
^C
[2]+ Done nohup nc -l -u 500 > nc_500.out
root@mike-TravelMate-8371:~/nat/out# head nc*.out
==> nc_2500.out <==
==> nc_500.out <==
test forwarding UDP port 500 to 2500
root@mike-TravelMate-8371:~/nat/out# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:1e:33:24:98:86 brd ff:ff:ff:ff:ff:ff
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:22:fb:64:bd:42 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic wlp1s0
valid_lft 85651sec preferred_lft 85651sec
inet6 fd58:7f66:569d:5300:c5df:415:6c56:50d6/64 scope global temporary dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fd58:7f66:569d:5300:75d:bbe9:652e:6587/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fe80::e214:14f8:d95c:73a7/64 scope link
valid_lft forever preferred_lft forever
4: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
valid_lft forever preferred_lft forever
inet6 fe80::800:27ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
root@mike-TravelMate-8371:~/nat/out# ip route
default via 192.168.1.1 dev wlp1s0 proto static metric 600
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.10 metric 600
192.168.56.0/24 dev vboxnet0 proto kernel scope link src 192.168.56.1 linkdown
The reason I want to forward ports is that I want to setup VPN between an external server and a guest running in Virtual box. The Vbox guest is using "NAT" network so Vbox has its own port forwarding to forward ports to the VM which has IP 10.0.2.15 so in Vbox the port forwarding rules are:
- TCP Host 2222 to Vbox guest 22
- UDP Host 4500 to Vbox guest 4500
- UDP Host 2500 to Vbox guest 500
The first means I can ssh to guest using "ssh -p 2222 root@192.168.1.10"
The second means I can send UDP packets on 4500, so I can send packets using "nc -u 192.168.1.10 4500" from host and I can see them being received on Vbox guest using "nc -l -u 4500" (the packets are NOT seen if you run "nc -l -u 4500" on the host)
The third is because Vbox will NOT forward reserved ports under 1024 so I cannot forward port 500, so with this rule I can use "nc -u 192.168.1.10 2500" on host and receive UDP packets on Vbox guest using "nc -l -u 500".
So I want to forward ports on UDP 500 on host to port 2500 so these are forwarded by Vbox to port 500 on the guest and this was working, but after rebooting and re-running iptables commands it didn't work and after several hours working on this I cannot figure out what I have done differently.
I have tried setting up iptables (and Vbox) with TCP forwadring and this doesn't work either and I have tried ufw and I have tried forwarding local ports with and without Vbox running and ports are never forwarded.
I have also tried forwarding port to a non-existent IP:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 --dport 500 -j DNAT --to-destination 192.168.1.30:500
iptables -A FORWARD -p udp -d 192.168.1.30 --dport 500 -j ACCEPT
So here IP 192.168.1.30 does not exist but if I run "nc -u 192.168.1.10 500" in one session then I can still receive packets listening on host (IP of 192.168.1.10).
I have tried forwarding TCP port 3222 to port 22 so then I can test without netcat, but this doesn't work
root@mike-TravelMate-8371:~/nat# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p tcp -m tcp --dport 3222 -j DNAT --to-destination 192.168.1.10:22
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p tcp -m tcp --dport 22 -j ACCEPT
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 22
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
Connection closed by foreign host.
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 3222
Trying 192.168.1.10...
telnet: Unable to connect to remote host: Connection refused
root@mike-TravelMate-8371:~/nat#
So here I can reach ssh port directly using port 22, but I can't via 3222 so forwarding is not working.
networking iptables
asked Jun 5 at 9:14
Mike Bounds
514
The INPUT of the incoming port is ACCEPTED ? (iptables -A INPUT -p tcp --dport 500 -j ACCEPT). And I have another syntax that redirect to the local port directlyiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 500 -j REDIRECT --to-port 2500. Don't forget to enable the forwarging in your host (cat /proc/sys/net/ipv4/ip_forward). Hopte this help.
– Eraseth
Jun 5 at 12:46
Your REDIRECT line is-p tcpwhen it should be udp I think? Why not use UFW, eg this solution. I avoid iptables, does it need TCP to set up the link initially; perhaps-p all? It looks like you get incoming traffic on 500 and send to 2500, but do you need also to allow outgoing traffic to 500?
– pbhj
Jun 5 at 13:48
Thanks -"p tcp" was a typo, so corrected this. Added more information to my post to explain why I am trying to do this and some of the things I have tried so far
– Mike Bounds
Jun 6 at 9:15
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I want to forward port 500 to port 2500 within the same host and the following was working on Lubuntu 16.04, but after rebooting and re-running iptables commands, I can't get it to work:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 –dport 500 -j DNAT –to-destination 192.168.1.10:2500
iptables -A FORWARD -p udp -d 192.168.1.10 –dport 2500 -j ACCEPT
where 192.168.1.10 is the IP of my local host.
To test in one session I run netcat:
nc -u 192.168.1.10:500
and in a 2nd session run:
nc -l -u 500
and in a 3rd session run:
nc -l -u 2500
So I want data I enter in session 1 to be received on session 3, not session 2, which I did have working, but can't get it working again.
I also tried:
iptables -t nat -A PREROUTING -p udp --dport 500 -j REDIRECT --to-port 2500
but packets are still being received on port 500, not 2500.
ufw is disabled and to make sure iptables is working I tried:
iptables -A INPUT -p udp --dport 500 -j DROP
and then packets were not received on port 500 or 2500 as expected.
Port forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
Session output below:
root@mike-TravelMate-8371:~/nat/out# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.10:2500
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p udp -m udp --dport 2500 -j ACCEPT
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 2500 > nc_2500.out &
[1] 29806
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 500 > nc_500.out &
[2] 29810
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# jobs
[1]- Running nohup nc -l -u 2500 > nc_2500.out &
[2]+ Running nohup nc -l -u 500 > nc_500.out &
root@mike-TravelMate-8371:~/nat/out# nc -u 192.168.1.10 500
test forwarding UDP port 500 to 2500
^C
[2]+ Done nohup nc -l -u 500 > nc_500.out
root@mike-TravelMate-8371:~/nat/out# head nc*.out
==> nc_2500.out <==
==> nc_500.out <==
test forwarding UDP port 500 to 2500
root@mike-TravelMate-8371:~/nat/out# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:1e:33:24:98:86 brd ff:ff:ff:ff:ff:ff
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:22:fb:64:bd:42 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic wlp1s0
valid_lft 85651sec preferred_lft 85651sec
inet6 fd58:7f66:569d:5300:c5df:415:6c56:50d6/64 scope global temporary dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fd58:7f66:569d:5300:75d:bbe9:652e:6587/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fe80::e214:14f8:d95c:73a7/64 scope link
valid_lft forever preferred_lft forever
4: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
valid_lft forever preferred_lft forever
inet6 fe80::800:27ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
root@mike-TravelMate-8371:~/nat/out# ip route
default via 192.168.1.1 dev wlp1s0 proto static metric 600
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.10 metric 600
192.168.56.0/24 dev vboxnet0 proto kernel scope link src 192.168.56.1 linkdown
The reason I want to forward ports is that I want to setup VPN between an external server and a guest running in Virtual box. The Vbox guest is using "NAT" network so Vbox has its own port forwarding to forward ports to the VM which has IP 10.0.2.15 so in Vbox the port forwarding rules are:
- TCP Host 2222 to Vbox guest 22
- UDP Host 4500 to Vbox guest 4500
- UDP Host 2500 to Vbox guest 500
The first means I can ssh to guest using "ssh -p 2222 root@192.168.1.10"
The second means I can send UDP packets on 4500, so I can send packets using "nc -u 192.168.1.10 4500" from host and I can see them being received on Vbox guest using "nc -l -u 4500" (the packets are NOT seen if you run "nc -l -u 4500" on the host)
The third is because Vbox will NOT forward reserved ports under 1024 so I cannot forward port 500, so with this rule I can use "nc -u 192.168.1.10 2500" on host and receive UDP packets on Vbox guest using "nc -l -u 500".
So I want to forward ports on UDP 500 on host to port 2500 so these are forwarded by Vbox to port 500 on the guest and this was working, but after rebooting and re-running iptables commands it didn't work and after several hours working on this I cannot figure out what I have done differently.
I have tried setting up iptables (and Vbox) with TCP forwadring and this doesn't work either and I have tried ufw and I have tried forwarding local ports with and without Vbox running and ports are never forwarded.
I have also tried forwarding port to a non-existent IP:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 --dport 500 -j DNAT --to-destination 192.168.1.30:500
iptables -A FORWARD -p udp -d 192.168.1.30 --dport 500 -j ACCEPT
So here IP 192.168.1.30 does not exist but if I run "nc -u 192.168.1.10 500" in one session then I can still receive packets listening on host (IP of 192.168.1.10).
I have tried forwarding TCP port 3222 to port 22 so then I can test without netcat, but this doesn't work
root@mike-TravelMate-8371:~/nat# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p tcp -m tcp --dport 3222 -j DNAT --to-destination 192.168.1.10:22
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p tcp -m tcp --dport 22 -j ACCEPT
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 22
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
Connection closed by foreign host.
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 3222
Trying 192.168.1.10...
telnet: Unable to connect to remote host: Connection refused
root@mike-TravelMate-8371:~/nat#
So here I can reach ssh port directly using port 22, but I can't via 3222 so forwarding is not working.
networking iptables
asked Jun 5 at 9:14
Mike Bounds
514
I want to forward port 500 to port 2500 within the same host and the following was working on Lubuntu 16.04, but after rebooting and re-running iptables commands, I can't get it to work:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 –dport 500 -j DNAT –to-destination 192.168.1.10:2500
iptables -A FORWARD -p udp -d 192.168.1.10 –dport 2500 -j ACCEPT
where 192.168.1.10 is the IP of my local host.
To test in one session I run netcat:
nc -u 192.168.1.10:500
and in a 2nd session run:
nc -l -u 500
and in a 3rd session run:
nc -l -u 2500
So I want data I enter in session 1 to be received on session 3, not session 2, which I did have working, but can't get it working again.
I also tried:
iptables -t nat -A PREROUTING -p udp --dport 500 -j REDIRECT --to-port 2500
but packets are still being received on port 500, not 2500.
ufw is disabled and to make sure iptables is working I tried:
iptables -A INPUT -p udp --dport 500 -j DROP
and then packets were not received on port 500 or 2500 as expected.
Port forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
Session output below:
root@mike-TravelMate-8371:~/nat/out# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.10:2500
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p udp -m udp --dport 2500 -j ACCEPT
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 2500 > nc_2500.out &
[1] 29806
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 500 > nc_500.out &
[2] 29810
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# jobs
[1]- Running nohup nc -l -u 2500 > nc_2500.out &
[2]+ Running nohup nc -l -u 500 > nc_500.out &
root@mike-TravelMate-8371:~/nat/out# nc -u 192.168.1.10 500
test forwarding UDP port 500 to 2500
^C
[2]+ Done nohup nc -l -u 500 > nc_500.out
root@mike-TravelMate-8371:~/nat/out# head nc*.out
==> nc_2500.out <==
==> nc_500.out <==
test forwarding UDP port 500 to 2500
root@mike-TravelMate-8371:~/nat/out# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:1e:33:24:98:86 brd ff:ff:ff:ff:ff:ff
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:22:fb:64:bd:42 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic wlp1s0
valid_lft 85651sec preferred_lft 85651sec
inet6 fd58:7f66:569d:5300:c5df:415:6c56:50d6/64 scope global temporary dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fd58:7f66:569d:5300:75d:bbe9:652e:6587/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 6788sec preferred_lft 3188sec
inet6 fe80::e214:14f8:d95c:73a7/64 scope link
valid_lft forever preferred_lft forever
4: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
valid_lft forever preferred_lft forever
inet6 fe80::800:27ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
root@mike-TravelMate-8371:~/nat/out# ip route
default via 192.168.1.1 dev wlp1s0 proto static metric 600
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.10 metric 600
192.168.56.0/24 dev vboxnet0 proto kernel scope link src 192.168.56.1 linkdown
The reason I want to forward ports is that I want to setup VPN between an external server and a guest running in Virtual box. The Vbox guest is using "NAT" network so Vbox has its own port forwarding to forward ports to the VM which has IP 10.0.2.15 so in Vbox the port forwarding rules are:
- TCP Host 2222 to Vbox guest 22
- UDP Host 4500 to Vbox guest 4500
- UDP Host 2500 to Vbox guest 500
The first means I can ssh to guest using "ssh -p 2222 root@192.168.1.10"
The second means I can send UDP packets on 4500, so I can send packets using "nc -u 192.168.1.10 4500" from host and I can see them being received on Vbox guest using "nc -l -u 4500" (the packets are NOT seen if you run "nc -l -u 4500" on the host)
The third is because Vbox will NOT forward reserved ports under 1024 so I cannot forward port 500, so with this rule I can use "nc -u 192.168.1.10 2500" on host and receive UDP packets on Vbox guest using "nc -l -u 500".
So I want to forward ports on UDP 500 on host to port 2500 so these are forwarded by Vbox to port 500 on the guest and this was working, but after rebooting and re-running iptables commands it didn't work and after several hours working on this I cannot figure out what I have done differently.
I have tried setting up iptables (and Vbox) with TCP forwadring and this doesn't work either and I have tried ufw and I have tried forwarding local ports with and without Vbox running and ports are never forwarded.
I have also tried forwarding port to a non-existent IP:
iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 --dport 500 -j DNAT --to-destination 192.168.1.30:500
iptables -A FORWARD -p udp -d 192.168.1.30 --dport 500 -j ACCEPT
So here IP 192.168.1.30 does not exist but if I run "nc -u 192.168.1.10 500" in one session then I can still receive packets listening on host (IP of 192.168.1.10).
I have tried forwarding TCP port 3222 to port 22 so then I can test without netcat, but this doesn't work
root@mike-TravelMate-8371:~/nat# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p tcp -m tcp --dport 3222 -j DNAT --to-destination 192.168.1.10:22
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p tcp -m tcp --dport 22 -j ACCEPT
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 22
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
Connection closed by foreign host.
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 3222
Trying 192.168.1.10...
telnet: Unable to connect to remote host: Connection refused
root@mike-TravelMate-8371:~/nat#
So here I can reach ssh port directly using port 22, but I can't via 3222 so forwarding is not working.
networking iptables
asked Jun 5 at 9:14
Mike Bounds
514
edited Jun 6 at 9:12
asked Jun 5 at 9:14
Mike Bounds
514
asked Jun 5 at 9:14
Mike Bounds
514
asked Jun 5 at 9:14
Mike Bounds
514
514
The INPUT of the incoming port is ACCEPTED ? (iptables -A INPUT -p tcp --dport 500 -j ACCEPT). And I have another syntax that redirect to the local port directlyiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 500 -j REDIRECT --to-port 2500. Don't forget to enable the forwarging in your host (cat /proc/sys/net/ipv4/ip_forward). Hopte this help.
– Eraseth
Jun 5 at 12:46
Your REDIRECT line is-p tcpwhen it should be udp I think? Why not use UFW, eg this solution. I avoid iptables, does it need TCP to set up the link initially; perhaps-p all? It looks like you get incoming traffic on 500 and send to 2500, but do you need also to allow outgoing traffic to 500?
– pbhj
Jun 5 at 13:48
Thanks -"p tcp" was a typo, so corrected this. Added more information to my post to explain why I am trying to do this and some of the things I have tried so far
– Mike Bounds
Jun 6 at 9:15
add a comment |Â
The INPUT of the incoming port is ACCEPTED ? (iptables -A INPUT -p tcp --dport 500 -j ACCEPT). And I have another syntax that redirect to the local port directlyiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 500 -j REDIRECT --to-port 2500. Don't forget to enable the forwarging in your host (cat /proc/sys/net/ipv4/ip_forward). Hopte this help.
– Eraseth
Jun 5 at 12:46
Your REDIRECT line is-p tcpwhen it should be udp I think? Why not use UFW, eg this solution. I avoid iptables, does it need TCP to set up the link initially; perhaps-p all? It looks like you get incoming traffic on 500 and send to 2500, but do you need also to allow outgoing traffic to 500?
– pbhj
Jun 5 at 13:48
Thanks -"p tcp" was a typo, so corrected this. Added more information to my post to explain why I am trying to do this and some of the things I have tried so far
– Mike Bounds
Jun 6 at 9:15
The INPUT of the incoming port is ACCEPTED ? (
iptables -A INPUT -p tcp --dport 500 -j ACCEPT). And I have another syntax that redirect to the local port directly iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 500 -j REDIRECT --to-port 2500. Don't forget to enable the forwarging in your host (cat /proc/sys/net/ipv4/ip_forward). Hopte this help.– Eraseth
Jun 5 at 12:46
The INPUT of the incoming port is ACCEPTED ? (
iptables -A INPUT -p tcp --dport 500 -j ACCEPT). And I have another syntax that redirect to the local port directly iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 500 -j REDIRECT --to-port 2500. Don't forget to enable the forwarging in your host (cat /proc/sys/net/ipv4/ip_forward). Hopte this help.– Eraseth
Jun 5 at 12:46
Your REDIRECT line is
-p tcp when it should be udp I think? Why not use UFW, eg this solution. I avoid iptables, does it need TCP to set up the link initially; perhaps -p all? It looks like you get incoming traffic on 500 and send to 2500, but do you need also to allow outgoing traffic to 500?– pbhj
Jun 5 at 13:48
Your REDIRECT line is
-p tcp when it should be udp I think? Why not use UFW, eg this solution. I avoid iptables, does it need TCP to set up the link initially; perhaps -p all? It looks like you get incoming traffic on 500 and send to 2500, but do you need also to allow outgoing traffic to 500?– pbhj
Jun 5 at 13:48
Thanks -"p tcp" was a typo, so corrected this. Added more information to my post to explain why I am trying to do this and some of the things I have tried so far
– Mike Bounds
Jun 6 at 9:15
Thanks -"p tcp" was a typo, so corrected this. Added more information to my post to explain why I am trying to do this and some of the things I have tried so far
– Mike Bounds
Jun 6 at 9:15
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
Iptables rules are not persistent across reboot. you might have to add the rules back after reboot or use iptables-save / iptables-persistent.
Refer to this link.
How can I make a specific set of iptables rules permanent?
answered Jun 5 at 9:22
Mystic monk
53
I have re-added rules after rebooting, but they do no work, so can't figure what I have done differently
– Mike Bounds
Jun 5 at 11:30
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Iptables rules are not persistent across reboot. you might have to add the rules back after reboot or use iptables-save / iptables-persistent.
Refer to this link.
How can I make a specific set of iptables rules permanent?
answered Jun 5 at 9:22
Mystic monk
53
I have re-added rules after rebooting, but they do no work, so can't figure what I have done differently
– Mike Bounds
Jun 5 at 11:30
add a comment |Â
up vote
0
down vote
Iptables rules are not persistent across reboot. you might have to add the rules back after reboot or use iptables-save / iptables-persistent.
Refer to this link.
How can I make a specific set of iptables rules permanent?
answered Jun 5 at 9:22
Mystic monk
53
I have re-added rules after rebooting, but they do no work, so can't figure what I have done differently
– Mike Bounds
Jun 5 at 11:30
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Iptables rules are not persistent across reboot. you might have to add the rules back after reboot or use iptables-save / iptables-persistent.
Refer to this link.
How can I make a specific set of iptables rules permanent?
answered Jun 5 at 9:22
Mystic monk
53
Iptables rules are not persistent across reboot. you might have to add the rules back after reboot or use iptables-save / iptables-persistent.
Refer to this link.
How can I make a specific set of iptables rules permanent?
answered Jun 5 at 9:22
Mystic monk
53
answered Jun 5 at 9:22
Mystic monk
53
answered Jun 5 at 9:22
Mystic monk
53
answered Jun 5 at 9:22
Mystic monk
53
53
I have re-added rules after rebooting, but they do no work, so can't figure what I have done differently
– Mike Bounds
Jun 5 at 11:30
add a comment |Â
I have re-added rules after rebooting, but they do no work, so can't figure what I have done differently
– Mike Bounds
Jun 5 at 11:30
I have re-added rules after rebooting, but they do no work, so can't figure what I have done differently
– Mike Bounds
Jun 5 at 11:30
I have re-added rules after rebooting, but they do no work, so can't figure what I have done differently
– Mike Bounds
Jun 5 at 11:30
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1043754%2fhow-to-redirect-forward-a-port-locally%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
The INPUT of the incoming port is ACCEPTED ? (
iptables -A INPUT -p tcp --dport 500 -j ACCEPT). And I have another syntax that redirect to the local port directlyiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 500 -j REDIRECT --to-port 2500. Don't forget to enable the forwarging in your host (cat /proc/sys/net/ipv4/ip_forward). Hopte this help.– Eraseth
Jun 5 at 12:46
Your REDIRECT line is
-p tcpwhen it should be udp I think? Why not use UFW, eg this solution. I avoid iptables, does it need TCP to set up the link initially; perhaps-p all? It looks like you get incoming traffic on 500 and send to 2500, but do you need also to allow outgoing traffic to 500?– pbhj
Jun 5 at 13:48
Thanks -"p tcp" was a typo, so corrected this. Added more information to my post to explain why I am trying to do this and some of the things I have tried so far
– Mike Bounds
Jun 6 at 9:15