Find the answer to your Linux question:
Results 1 to 7 of 7
long story short, verizon wireless (ie, my droid x) blocks a lot of irc servers. I'm working around it by forwarding some ports on my home server to the servers ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Posts
    31

    iptables forward to different address:port


    long story short, verizon wireless (ie, my droid x) blocks a lot of irc servers. I'm working around it by forwarding some ports on my home server to the servers I need to access.

    I've been researching how to do this, but nothing seems to work. this is what I've got so far:

    # grab IP address of server (works fine)
    ircserver=`ping -c1 irc.oftc.net | grep 'bytes from' | sed 's/.*(\([0-9\.]*\)).*/\1/g'`
    inport="6667"
    outport="6667"

    sysctl net.ipv4.ip_forward=1

    iptables -t nat -A PREROUTING -p tcp -m tcp --dport "$inport" -j DNAT --to "$ircserver:outport"
    iptables -t nat -A PREROUTING -p udp -m udp --dport "$inport" -j DNAT --to "$ircserver:outport"
    iptables -A FORWARD -d "$ircserver" -p tcp --dport "$outport" -j ACCEPT
    iptables -A FORWARD -d "$ircserver" -p udp --dport "$outport" -j ACCEPT

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    How are you connecting to your server? How many network interfaces on this server?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Aug 2010
    Posts
    31
    only one network interface card.

    whether I'm on the machine itself or a client on the same local network.

    The only firewall between the client and server is this iptables I'm configuring.

    There is a firewall on a router separating this local network from the internet (but shouldn't come into play with the following tests).

    machines involved
    * server (on local network)
    * client (on local network)
    * remserver (on remote network)

    on server, if I redirect port A to server's own port B (apache, ssh, anything)
    connecting to real port on server from client works
    connecting to forwarded port on server from client works
    connecting to forwarded port on server from server fails (either with 127.0.0.1:fprt or 192.168.0.100:fprt)
    connecting to real port on server from server works

    if I redirect server port A to a remserver port B (ssh)
    connecting to real port on remserver from client works
    connecting to real port on remserver from server works
    connecting to forwarded port on server from server fails
    connecting to forwarded port on server from client fails

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    What are your complete iptables rules for the firewall?
    Please use CODE tags instead of QUOTE tags.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Aug 2010
    Posts
    31
    in this example, I'm forwarding my own server's port 4567 to narnia.intruded.net:10102 (an ssh wargame)

    Code:
    eocserver ~ # sysctl net.ipv4.ip_forward=1
    net.ipv4.ip_forward = 1
    
    eocserver ~ # iptables -L
    Firewall rules installed:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  localhost            anywhere
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            icmp any
    DROP       all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:9090
    ACCEPT     tcp  --  anywhere             intruded.net        tcp dpt:10102
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    specific command for forwarding:
    Code:
    iptables -t nat -A PREROUTING -p tcp -m tcp --dport 4567 -j DNAT --to 78.129.142.146:10102
    iptables -A FORWARD -d 78.129.142.146 -p tcp --dport 10102 -j ACCEPT

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    I would prefer to read the command line file not the running output.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Aug 2010
    Posts
    31
    I've created my own init script to set up iptables. whether I use that or manually enter all the commands as they should be, its the same effect.

    the script reads in /etc/firewall and parses it into iptables commands.

    here it is:

    /etc/firewall
    Code:
    ## usage: forward [tcp.udp,all] [inPort] [toAdd:toPort] [optionalSourceMatching]
    forward tcp 80 :9090 192.168.0.0/24 # port 80 web server for lan only
    forward tcp 4567 78.129.142.146:10102
    
    ## usage: input [nameNoSpaces] [tcp,udp,all] [port1] [port2]...
    ## tcp/udp assumed if not specified
    input apache all 9090 9191
    /etc/init.d/firewall
    Code:
    #!/sbin/runscript
    # Copyright 1999-2010 Gentoo Foundation
    # Distributed under the terms of the GNU General Public License v2
    # $Header: $
    
    depend() {
            before net
    }
    
    start() {
            setup_iptables
    }
    
    stop() {
            /etc/init.d/iptables stop
    }
    
    restart() {
            setup_iptables
    }
    
    function clear_iptables {
            iptables -F
            iptables -P INPUT   ACCEPT
            iptables -P FORWARD ACCEPT
            iptables -P OUTPUT  ACCEPT
    
            # Report what happened
            echo 'Firewall rules installed:'
            iptables -L
    }
    function open {
            pol="$1"
            shift 2
            packet="tcp/udp"
            first="1"
            
            for port in "$@" ; do
              if [[ "$port:0:1" == "#" ]] ; then
                return;
              elif [[ "$port" == "tcp" ]] || [[ "$port" == "udp" ]] ; then
                packet="$port";
                first="0"
                continue;
              elif  [[ "$port" == "all" ]] || [[ "$port" == "tcp/udp" ]] || [[ "$port" == "udp/tcp" ]] ; then
                packet="tcp/udp"
                first="0"
                continue;
              elif [[ "$first" == "1" ]] ; then
                first="0"
              fi
    
              if [[ "$packet" == "tcp/udp" ]] ; then
                iptables -A "$pol" -p tcp -m tcp --dport "$port" -j ACCEPT
                iptables -A "$pol" -p udp -m udp --dport "$port" -j ACCEPT
              else
                iptables -A "$pol" -p "$packet" -m "$packet" --dport "$port" -j ACCEPT
              fi
            done
    }
    
    function forward {
            # forward [tcp,udp,tcp/udp,all] [in port] [forw add:port] [source add] 
    
            sysctl net.ipv4.ip_forward=1
    
            # input port
            iport="$2";
    
            # source address
            if [[ "$4" != "" ]] ; then
              saddress=" --source $4";
            fi
    
            # destination address
            # you can supply a domain name by adding ! to the beginning. (getip is an outside script)
            daddress=`echo "$3" | cut -d: -f 1`
            if [[ "${daddress:0:1}" == "!" ]] ; then
                    daddress=`getip "${daddress:1}"`
            fi
    
            # destination port
            dport=`echo "$3" | cut -d: -f 2`
            if [[ "$dport" == "" ]]; then
                    # make port the same as source port if not supplied
                    dport="$2"
            fi
    
            if [[ "$dport" == "$3" ]]; then
                    # when no : is supplied, cut will make port and address
                    # the whole line supplied. we assume this is an address
                    # as ports are always supplied with a leading :
                    dport="$2"
            fi
    
            dport=":$dport"
    
            if [[ "$1" == "udp" ]] || [[ "$1" == "tcp/udp" ]] || [[ "$1" == "all" ]] ; then
              iptables -t nat -A PREROUTING -p udp -m udp --dport "$iport" $saddress -j DNAT --to "$daddress$dport"
              iptables -A FORWARD -d "$daddress" -p udp --dport "${dport:1}" -j ACCEPT
            fi
            if [[ "$1" == "tcp" ]] || [[ "$1" == "tcp/udp" ]] || [[ "$1" == "all" ]] ; then
              iptables -t nat -A PREROUTING -p tcp -m tcp --dport "$iport" $saddress -j DNAT --to "$daddress$dport"
              iptables -A FORWARD -d "$daddress" -p tcp --dport "${dport:1}" -j ACCEPT
            fi
    }
    
    function read_firewall {
            if ! [[ -e "/etc/firewall" ]] ; then
              return 1
            fi
    
            while read line ; do
              if [[ "${line:0:5}" == "input" ]] ; then
                eval "open INPUT ${line:6}"
              elif [[ "${line:0:6}" == "output" ]] ; then
                eval "open OUTPUT ${line:7}"
              elif [[ "${line:0:7}" == "forward" ]] ; then
                eval "forward ${line:8}"
              fi
            done < /etc/firewall
    }
    
    function setup_iptables {
            /etc/init.d/iptables stop
    
            iptables -F
            iptables -P INPUT   DROP
            iptables -P FORWARD DROP
            iptables -P OUTPUT  ACCEPT
    
            iptables -A INPUT -s 127.0.0.1 -j ACCEPT
            iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
            iptables -A INPUT -p icmp -m icmp -j ACCEPT
    
            read_firewall
    
            iptables -A INPUT -j DROP
    
            #Report what happened
            echo 'Firewall rules installed:'
            iptables -L
    
            /etc/init.d/iptables save
            /etc/init.d/iptables start
    }

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •