Answer the question
In order to leave comments, you need to log in
How to forward packets to another server using iptables?
Hello, the task is to redirect all traffic from the address xxxx:8888 to another yyyy:80, xxxx and yyyy are not on the same network, they are two separate servers.
I tried to implement this using iptables by specifying the following rule on xxxx, but unfortunately it did not help:
iptables -t nat -R PREROUTING 1 -p tcp --dport 8888 -j DNAT --to-destination yyyy
Answer the question
In order to leave comments, you need to log in
Right now you are only spoofing the destination address, but the Y host replies to the source host through its default gateway. Those. the packet was sent to the address of the X host, and the answer came from the Y host, the sender is lost and resets the connection, so nothing happens.
Packets through the gateway pass such chains: PREROUTING, FORWARD, POSTROUTING and you need a rule for each. You also need to enable traffic forwarding. It is necessary not only to change the destination address (DNAT, PREROUTING), but also to change the source address (SNAT, POSTROUTING), so that the Y-host would respond to the X-host, and not along the default route, and do not forget about filtering passing traffic (FORWARD ).
For everything to work, as described above, the following actions are needed:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j DNAT --to-destination Y.Y.Y.Y:80
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source X.X.X.X:1024-32000
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "РАЗРЕШЕНО Установленные соединения" -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -d Y.Y.Y.Y -m comment --comment "РАЗРЕШЕНО Новое соединение к Y.Y.Y.Y" -j ACCEPT
iptables -P FORWARD DROP
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question