iptables forward to different address:port

long story short, verizon wireless (ie, my droid x) blocks a lot of irc servers. I'm working around it by forwarding some ports on my home server to the servers I need to access.

I've been researching how to do this, but nothing seems to work. this is what I've got so far:

Quote:

---

# grab IP address of server (works fine)
ircserver=`ping -c1 irc.oftc.net | grep 'bytes from' | sed 's/.*(\([0-9\.]*\)).*/\1/g'`
inport="6667"
outport="6667"

sysctl net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -p tcp -m tcp --dport "$inport" -j DNAT --to "$ircserver:outport"
iptables -t nat -A PREROUTING -p udp -m udp --dport "$inport" -j DNAT --to "$ircserver:outport"
iptables -A FORWARD -d "$ircserver" -p tcp --dport "$outport" -j ACCEPT
iptables -A FORWARD -d "$ircserver" -p udp --dport "$outport" -j ACCEPT

---

How are you connecting to your server? How many network interfaces on this server?

only one network interface card.

whether I'm on the machine itself or a client on the same local network.

The only firewall between the client and server is this iptables I'm configuring.

There is a firewall on a router separating this local network from the internet (but shouldn't come into play with the following tests).

machines involved
* server (on local network)
* client (on local network)
* remserver (on remote network)

on server, if I redirect port A to server's own port B (apache, ssh, anything)
connecting to real port on server from client works
connecting to forwarded port on server from client works
connecting to forwarded port on server from server fails (either with 127.0.0.1:fprt or 192.168.0.100:fprt)
connecting to real port on server from server works

if I redirect server port A to a remserver port B (ssh)
connecting to real port on remserver from client works
connecting to real port on remserver from server works
connecting to forwarded port on server from server fails
connecting to forwarded port on server from client fails

What are your complete iptables rules for the firewall?
Please use CODE tags instead of QUOTE tags.

in this example, I'm forwarding my own server's port 4567 to narnia.intruded.net:10102 (an ssh wargame)

Code:

---

eocserver ~ # sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

eocserver ~ # iptables -L
Firewall rules installed:
Chain INPUT (policy DROP)
target    prot opt source              destination
ACCEPT    all  --  localhost            anywhere
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere            icmp any
DROP      all  --  anywhere            anywhere

Chain FORWARD (policy DROP)
target    prot opt source              destination
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:9090
ACCEPT    tcp  --  anywhere            intruded.net        tcp dpt:10102

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

---

specific command for forwarding:

Code:

---

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 4567 -j DNAT --to 78.129.142.146:10102
iptables -A FORWARD -d 78.129.142.146 -p tcp --dport 10102 -j ACCEPT

---

I would prefer to read the command line file not the running output.

I've created my own init script to set up iptables. whether I use that or manually enter all the commands as they should be, its the same effect.

the script reads in /etc/firewall and parses it into iptables commands.

here it is:

/etc/firewall

Code:

---

## usage: forward [tcp.udp,all] [inPort] [toAdd:toPort] [optionalSourceMatching]
forward tcp 80 :9090 192.168.0.0/24 # port 80 web server for lan only
forward tcp 4567 78.129.142.146:10102

## usage: input [nameNoSpaces] [tcp,udp,all] [port1] [port2]...
## tcp/udp assumed if not specified
input apache all 9090 9191

---

/etc/init.d/firewall

Code:

---

#!/sbin/runscript
# Copyright 1999-2010 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

depend() {
        before net
}

start() {
        setup_iptables
}

stop() {
        /etc/init.d/iptables stop
}

restart() {
        setup_iptables
}

function clear_iptables {
        iptables -F
        iptables -P INPUT  ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT  ACCEPT

        # Report what happened
        echo 'Firewall rules installed:'
        iptables -L
}
function open {
        pol="$1"
        shift 2
        packet="tcp/udp"
        first="1"
       
        for port in "$@" ; do
          if [[ "$port:0:1" == "#" ]] ; then
            return;
          elif [[ "$port" == "tcp" ]] || [[ "$port" == "udp" ]] ; then
            packet="$port";
            first="0"
            continue;
          elif  [[ "$port" == "all" ]] || [[ "$port" == "tcp/udp" ]] || [[ "$port" == "udp/tcp" ]] ; then
            packet="tcp/udp"
            first="0"
            continue;
          elif [[ "$first" == "1" ]] ; then
            first="0"
          fi

          if [[ "$packet" == "tcp/udp" ]] ; then
            iptables -A "$pol" -p tcp -m tcp --dport "$port" -j ACCEPT
            iptables -A "$pol" -p udp -m udp --dport "$port" -j ACCEPT
          else
            iptables -A "$pol" -p "$packet" -m "$packet" --dport "$port" -j ACCEPT
          fi
        done
}

function forward {
        # forward [tcp,udp,tcp/udp,all] [in port] [forw add:port] [source add]

        sysctl net.ipv4.ip_forward=1

        # input port
        iport="$2";

        # source address
        if [[ "$4" != "" ]] ; then
          saddress=" --source $4";
        fi

        # destination address
        # you can supply a domain name by adding ! to the beginning. (getip is an outside script)
        daddress=`echo "$3" | cut -d: -f 1`
        if [[ "${daddress:0:1}" == "!" ]] ; then
                daddress=`getip "${daddress:1}"`
        fi

        # destination port
        dport=`echo "$3" | cut -d: -f 2`
        if [[ "$dport" == "" ]]; then
                # make port the same as source port if not supplied
                dport="$2"
        fi

        if [[ "$dport" == "$3" ]]; then
                # when no : is supplied, cut will make port and address
                # the whole line supplied. we assume this is an address
                # as ports are always supplied with a leading :
                dport="$2"
        fi

        dport=":$dport"

        if [[ "$1" == "udp" ]] || [[ "$1" == "tcp/udp" ]] || [[ "$1" == "all" ]] ; then
          iptables -t nat -A PREROUTING -p udp -m udp --dport "$iport" $saddress -j DNAT --to "$daddress$dport"
          iptables -A FORWARD -d "$daddress" -p udp --dport "${dport:1}" -j ACCEPT
        fi
        if [[ "$1" == "tcp" ]] || [[ "$1" == "tcp/udp" ]] || [[ "$1" == "all" ]] ; then
          iptables -t nat -A PREROUTING -p tcp -m tcp --dport "$iport" $saddress -j DNAT --to "$daddress$dport"
          iptables -A FORWARD -d "$daddress" -p tcp --dport "${dport:1}" -j ACCEPT
        fi
}

function read_firewall {
        if ! [[ -e "/etc/firewall" ]] ; then
          return 1
        fi

        while read line ; do
          if [[ "${line:0:5}" == "input" ]] ; then
            eval "open INPUT ${line:6}"
          elif [[ "${line:0:6}" == "output" ]] ; then
            eval "open OUTPUT ${line:7}"
          elif [[ "${line:0:7}" == "forward" ]] ; then
            eval "forward ${line:8}"
          fi
        done < /etc/firewall
}

function setup_iptables {
        /etc/init.d/iptables stop

        iptables -F
        iptables -P INPUT  DROP
        iptables -P FORWARD DROP
        iptables -P OUTPUT  ACCEPT

        iptables -A INPUT -s 127.0.0.1 -j ACCEPT
        iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

        iptables -A INPUT -p icmp -m icmp -j ACCEPT

        read_firewall

        iptables -A INPUT -j DROP

        #Report what happened
        echo 'Firewall rules installed:'
        iptables -L

        /etc/init.d/iptables save
        /etc/init.d/iptables start
}

---