iptables NAT prerouting rule does not forward the traffic?

postcd

Member
Joined
Jul 8, 2017
Messages
37
Reaction score
3
Credits
89
Hello,

on one server, the iptables rule like:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 48280 -j DNAT --to 10.8.0.2:48280

worked to forward server's incoming traffic at mentioned port into the VPN tunnel where the VPN client network interface has IP 10.8.0.2. Port appeared as open.
Now when i tried the same rule on different server, the port appears closed, even i tried to disable client's firewall.

The ifconfig shows the server has only lo, eth0 and tun0 interfaces so eth0 should be correct.

Please what is the commands you would do to discover where the incoming traffic is stuck?

some details about the server:
Redhat based CentOS 7, kernel 3.10, iptables v1.4.21
lsmod|grep nat
xt_nat 12681 6
nf_nat_masquerade_ipv4 13430 1 ipt_MASQUERADE
iptable_nat 12875 1
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26583 3 nf_nat_ipv4,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack 139224 5 nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4
ip_tables 27126 5 iptable_security,iptable_filter,iptable_mangle,iptable_nat,iptable_raw
libcrc32c 12644 3 xfs,nf_nat,nf_conntrack

iptables-save|egrep -i "reject|drop|deny"
:pOST_public_deny - [0:0]
:pRE_public_deny - [0:0]
-A POST_public -j POST_public_deny
-A PRE_public -j PRE_public_deny
:pRE_public_deny - [0:0]
-A PRE_public -j PRE_public_deny
:pRE_public_deny - [0:0]
-A PRE_public -j PRE_public_deny
:FWDI_public_deny - [0:0]
:FWDO_public_deny - [0:0]
:IN_public_deny - [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j DROP

iptables-save|egrep -i nat
*nat
-A PREROUTING -p tcp -m tcp --dport 12345 -j DNAT --to-destination 127.0.0.1:1082
-A PREROUTING -s 107.186.1.0/24 -p tcp -m tcp --dport 21 -j DNAT --to-destination 1.2.3.4:21
-A PREROUTING -i eth0 -p udp -m udp --dport 48281 -j DNAT --to-destination 10.8.0.2:48281
-A PREROUTING -i eth0 -p udp -m udp --dport 8889 -j DNAT --to-destination 10.8.0.2:8889
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48280-j DNAT --to-destination 10.8.0.2:48280
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 1.2.3.4
(1.2.3.4 being server's public IP)

Regarding client, it is Windows 10
 


Check the other threads you've asked this same question in. Dude, youve been using iptables for close to 10 yrs now so why can't you do anything with your own rules? Could be stuck anywhere, at a firewall, dmz, or someplace else. Run tcpdump or try to just ping the boxes from each other. Or look at any of the 100's of other threads you opened about iptables and put some thinking in to how ot solve your own problem for a change.
 

Staff online

Members online


Latest posts

Top