iptable port forwarding between two lan interface

May 18, 2012 at 06:33:51
Specs: linux, 2G RAM
Hi,
How can I config iptables to allow port forwarding from one WAN interface to second lan interface .

In my system I have one wan interface 61.93.204.56 (eth0),and lan interface 10.2.1.52(eth1)
I want to make port forward port no 22 from 61.93.204.56 to
port 22 , 10.2.1.52 , tcp and udp

I try below command but all are not work
[CODE]
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 22 -j DNAT --to-destination 10.2.1.52:22
iptables -A FORWARD -p tcp -d 10.2.1.52 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 22 -j DNAT --to-destination 10.2.1.52:22
iptables -A FORWARD -p udp -d 10.2.1.52 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[/CODE]
[CODE]
iptables -A PREROUTING -p tcp -m tcp -d 61.93.204.56 --dport 22 -j DNAT --to-destination 10.2.1.52:22

iptables -A FORWARD -m state -p tcp -d 10.2.1.52 --dport 22 --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -p tcp -m tcp -s 10.2.1.52 --sport 22 -j SNAT --to-source 61.93.204.56
[/CODE]

[CODE]
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 22 -j DNAT --to 10.2.1.52:22
iptables -A INPUT -p udp -m state --state NEW --dport 22 -i eth0 -j ACCEPT

iptables -A FORWARD -p tcp -m state --state NEW -d 10.2.1.52 --dport 22 -j ACCEPT
[/CODE]


[CODE]
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j DNAT --to 10.2.1.52:2
iptables -A FORWARD -p tcp -i eth0 -o eth2 -d 10.2.1.52 --dport 22 -j ACCEPT
[/CODE]

Please advice how can I make it work .

And how can I open debug for above iptables rule and see what is wrong ???
Please advice ..


See More: iptable port forwarding between two lan interface

Report •

#1
May 18, 2012 at 14:41:54
Are the 2 network cards eth0 and eth1 in the same machine?
And what does eth2 mean in the last CODE you posted?

[CODE]
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j DNAT --to 10.2.1.52:2
iptables -A FORWARD -p tcp -i eth0 -o eth2 -d 10.2.1.52 --dport 22 -j ACCEPT
[/CODE]


Report •

#2
May 18, 2012 at 15:56:00
yes , both eth0 and eth1 are in the same machine .
There is typing mistaken only ....

Report •

#3
May 18, 2012 at 16:43:22
Ok, so why do you want to forward ssh, while it's much easier to simply have ssh on both network cards. Then, you only have to open port 22 for eth0 [61.93.204.56].
No NAT, no forwarding is needed.

Check, whether both NICs are listening on port 22 (ssh) by
netstat -ant | grep \:22


Report •

Related Solutions

#4
May 18, 2012 at 17:03:31
No .
that is example only , not only port 22 , I may need to setup another port no .
Please advice how to setup port forwarding between wan and lan interface in linux .


Report •

#5
May 18, 2012 at 17:22:27
This is how it works:

PREROUTING:
iptables -A PREROUTING -p tcp -m tcp -i 61.93.204.56 --dport 22 -j DNAT --to-destination 10.2.1.52:22

FORWARDING:
iptables -A FORWARD -p tcp -m tcp -d 10.2.1.52 --dport 22 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-SSH: " --log-tcp-options --log-ip-options
iptables -A FORWARD -p tcp -m tcp -d 10.2.1.52 --dport 22 -j ACCEPT

It's always a good idea to use the log option for a rule.


Report •

#6
May 18, 2012 at 17:29:31
Oh there is a mistake in the prerouting section:

Must be:

iptables -A PREROUTING -p tcp -m tcp -i eth0 --dport 22 -j DNAT --to-destination 10.2.1.52:22


Report •

#7
May 18, 2012 at 17:43:37
Ah forgot something else.
You may have to insert the rules, depending on the existing firewall configuration, so that the rules are at the right place.

Make sure, that the rule for the logging purpose is placed above the ACCEPT rule.
Rule of thumb is, first log then accept or deny.


Report •

Ask Question