FAQ

[CentOS] iptables port forwarding

Joseph Spenner
Dec 4, 2012 at 7:38 pm
I have a simple requirement/test I'm trying to perform, but having difficulty.


I have a system with 2 interfaces, BoxA:


eth0? 172.26.50.102
eth1? 192.101.77.62


My goal is to have a tcp port built on BoxA such that hosts on the 192.101.77.0/24 network can reach a port on a different box on the 172.26.0.0/16 network.


The target system is 172.26.10.120?? tcp/22
The port I wish to build is 12321.


The iptables rules I'm using:


iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 12321 -j DNAT --to 172.26.10.120:22


It shows up when I query the rules:


boxA# iptables -L
Chain INPUT (policy ACCEPT)
target???? prot opt source?????????????? destination??????? ?


Chain FORWARD (policy ACCEPT)
target???? prot opt source?????????????? destination??????? ?


Chain OUTPUT (policy ACCEPT)
target???? prot opt source?????????????? destination??????? ?
#


boxA# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target???? prot opt source?????????????? destination??????? ?
DNAT?????? tcp? --? anywhere???????????? anywhere??????????? tcp dpt:12321 to:172.26.10.120:22


Chain POSTROUTING (policy ACCEPT)
target???? prot opt source?????????????? destination??????? ?


Chain OUTPUT (policy ACCEPT)
target???? prot opt source?????????????? destination??????? ?
boxA#




Forwarding is enabled:


boxA# cat /proc/sys/net/ipv4/ip_forward
1
boxA#


boxA can get to the target system:


boxA# telnet 172.26.10.120 22
Trying 172.26.10.120...
Connected to 172.26.10.120.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.6


Protocol mismatch.
Connection closed by foreign host.
boxA#




When I try to connect from my other system, boxB, 192.101.77.76, it never connects to the target port:


boxB# telnet 192.101.77.62 12321
Trying 192.101.77.62...
^C


boxB#


However, I can connect to boxA from boxB on it's tcp/22 port, so I know I have connectivity:


boxB# telnet 192.101.77.62 22
Trying 192.101.77.62...
Connected to 192.101.77.62.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.5p1


Protocol mismatch.
Connection closed by foreign host.
boxB#


Nothing shows up in the logs.


Anyone have any ideas what I may be doing wrong?


Any help would be great.


Thanks!




______________________________________________________________________
If life gives you lemons, keep them-- because hey.. free lemons.
"? Sticker" fixer:? http://microflush.org/stuff/stickers/heartFix.html
reply

Search Discussions

2 responses

  • Earl A Ramirez at Dec 4, 2012 at 10:25 pm

    On 5 December 2012 03:38, Joseph Spenner wrote:


    I have a simple requirement/test I'm trying to perform, but having
    difficulty.

    I have a system with 2 interfaces, BoxA:

    eth0 172.26.50.102
    eth1 192.101.77.62

    My goal is to have a tcp port built on BoxA such that hosts on the
    192.101.77.0/24 network can reach a port on a different box on the
    172.26.0.0/16 network.

    The target system is 172.26.10.120 tcp/22
    The port I wish to build is 12321.

    The iptables rules I'm using:

    iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 12321 -j DNAT --to
    172.26.10.120:22

    It shows up when I query the rules:

    boxA# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    #

    boxA# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- anywhere anywhere tcp dpt:12321
    to:172.26.10.120:22

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    boxA#


    Forwarding is enabled:

    boxA# cat /proc/sys/net/ipv4/ip_forward
    1
    boxA#

    boxA can get to the target system:

    boxA# telnet 172.26.10.120 22
    Trying 172.26.10.120...
    Connected to 172.26.10.120.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_4.6

    Protocol mismatch.
    Connection closed by foreign host.
    boxA#


    When I try to connect from my other system, boxB, 192.101.77.76, it never
    connects to the target port:

    boxB# telnet 192.101.77.62 12321
    Trying 192.101.77.62...
    ^C

    boxB#

    However, I can connect to boxA from boxB on it's tcp/22 port, so I know I
    have connectivity:

    boxB# telnet 192.101.77.62 22
    Trying 192.101.77.62...
    Connected to 192.101.77.62.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_5.5p1

    Protocol mismatch.
    Connection closed by foreign host.
    boxB#

    Nothing shows up in the logs.

    Anyone have any ideas what I may be doing wrong?

    Any help would be great.

    Thanks!


    ______________________________________________________________________
    If life gives you lemons, keep them-- because hey.. free lemons.
    "? Sticker" fixer: http://microflush.org/stuff/stickers/heartFix.html
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos



    Hi Joseph,


    What port is the sshd daemon listening on, did you edit the sshd_config
    file to reflect port 12321?


    --
    Kind Regards
    Earl Ramirez
  • Joseph Spenner at Dec 6, 2012 at 7:53 pm
    ________________________________
    From: Earl A Ramirez <ear...@...com>
    To: CentOS mailing list <cen...@...org>
    Sent: Tuesday, December 4, 2012 3:25 PM
    Subject: Re: [CentOS] iptables port forwarding


    On 5 December 2012 03:38, Joseph Spenner wrote:

    I have a simple requirement/test I'm trying to perform, but having
    difficulty.



    When I try to connect from my other system, boxB, 192.101.77.76, it never
    connects to the target port:

    boxB# telnet 192.101.77.62 12321
    Trying 192.101.77.62...
    ^C

    boxB# telnet 192.101.77.62 22
    Trying 192.101.77.62...
    Connected to 192.101.77.62.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_5.5p1

    Protocol mismatch.







    Hi Joseph,


    What port is the sshd daemon listening on, did you edit the sshd_config
    file to reflect port 12321?


    --


    Earl:
    ? Thanks for the reply, but I figure it out.? The sshd ports are default-- 22.? The target system needed a route back to the original system through the linux router.? I ran tcpdump and saw it and knew then I needed a route.




    ______________________________________________________________________
    If life gives you lemons, keep them-- because hey.. free lemons.
    "? Sticker" fixer:? http://microflush.org/stuff/stickers/heartFix.html

Related Discussions

Discussion Navigation
viewthread | post

2 users in discussion

Joseph Spenner: 2 posts Earl A Ramirez: 1 post