D
D
Dmitry2017-02-09 14:31:16
iptables
Dmitry, 2017-02-09 14:31:16

How to forward packets to another server using iptables?

Hello, the task is to redirect all traffic from the address xxxx:8888 to another yyyy:80, xxxx and yyyy are not on the same network, they are two separate servers.
I tried to implement this using iptables by specifying the following rule on xxxx, but unfortunately it did not help:
iptables -t nat -R PREROUTING 1 -p tcp --dport 8888 -j DNAT --to-destination yyyy

Answer the question

In order to leave comments, you need to log in

2 answer(s)
K
krosh, 2017-02-10
@MrDinkyToster

Right now you are only spoofing the destination address, but the Y host replies to the source host through its default gateway. Those. the packet was sent to the address of the X host, and the answer came from the Y host, the sender is lost and resets the connection, so nothing happens.
Packets through the gateway pass such chains: PREROUTING, FORWARD, POSTROUTING and you need a rule for each. You also need to enable traffic forwarding. It is necessary not only to change the destination address (DNAT, PREROUTING), but also to change the source address (SNAT, POSTROUTING), so that the Y-host would respond to the X-host, and not along the default route, and do not forget about filtering passing traffic (FORWARD ).
For everything to work, as described above, the following actions are needed:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j DNAT --to-destination Y.Y.Y.Y:80
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source X.X.X.X:1024-32000
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED  -m comment --comment "РАЗРЕШЕНО Установленные соединения" -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -d Y.Y.Y.Y  -m comment --comment "РАЗРЕШЕНО Новое соединение к Y.Y.Y.Y" -j ACCEPT
iptables -P FORWARD DROP

The first command enables traffic forwarding through the host.
Second: change of destination in PREROUTING, i.e. at the point of the routing decision, a decision will already be made to transfer the packet further to the network, and not to give it to the local process.
Third: substitution of the source address in the POSTROUTING chain at the output with the address of the X host. And then the packet will already look like it was sent from the X-host to port 80 of the Y-host.
Fourth: work with statuses. Passes only packets of already established connection. And the connection can be established only in one direction (fifth line) and only to the Y-host.
Sixth, drop all packets that don't match the chain rules - the default policy.
The only problem with this solution is that in the logs you will have one source address - the X-host. If this is important and we are talking about a web server, then I would recommend dealing with nginx proxying and you won’t have to forward anything.
You also need to deal with local traffic on 8888 and 80 ports. and traffic from the local network if it is a gateway. But this is a separate issue.

W
Wexter, 2017-02-09
@Wexter

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -d xxxx --dport 8888 -j DNAT --to-destination yyyy:80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question