Linux redirect port to another port

Redirect to another port

Подскажите верно правило:

iptables -t nat -A PREROUTING -p tcp —dport 22 -d 192.168.2.90/24 -s 192.168.2.111/24 —sport 888 -j REDIRECT —to-ports 22

которое позволяет перенаправить от 192.168.2.111 Port 888 на 192.168.2.90 Port 22. клиент ssh в putty прописывает у себя 192.168.2.111 port 888, его перенаправляют на ssh server 192.168.2.90 Port 22?

Re: Redirect to another port

Я чесно говоря слабо понял что ты хочешь соорудить. Но правило
> которое позволяет перенаправить от 192.168.2.111 Port 888 на 192.168.2.90 Port 22
будет выглядеть примерно так:
-t nat -A PREROUTING -s 192.168.2.111 —sport 888 -p tcp -m tcp -j DNAT —to-destination 192.168.2.90:21

Re: Redirect to another port

А для FreeBSD 5.3 можно такое же правило? Это уже другой anonymous 😉

Re: Redirect to another port

iptables v1.2.11: Unknown arg `—sport’

Re: Redirect to another port

Re: Redirect to another port

вообщем прописал я по другому:

iptables -t nat -I PREROUTING -p tcp -d 192.168.2.111 —dport 22 -s 0/0 —sport 888 -j DNAT —to-destination 192.168.2.90:22

пытаюсь я локальной сети коннектиться на 2.111 по ssh получаю Connection Refused.

Re: Redirect to another port

Re: Redirect to another port

во первых посмотри в iptables-save нет ли у тебя лишних правил очень похожих на то, о котором мы говорим.
Потом добавь правило именно с -А параметром.

iptables -t nat -A PREROUTING -p tcp -d 192.168.2.111 —dport 22 -j DNAT —to-destination 192.168.2.90:22

теперь если ты буш коннектится к 2.111 по ssh, то тебя перебросит на 2.90:22 (ssh)

Re: Redirect to another port

я специально поставил -I.

Apr 25 14:28:55 gate kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.2.111 DST=192.168.2.101 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.2.90 [SRC=192. 68.2.101 DST=192.168.2.90 LEN=48 TOS=0x00 PREC=0x00 TTL=127 PROTO=TCP SPT=1901 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) ]

Apr 25 14:28:55 gate kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth0 SRC=192.168.2.101 DST=192.168.2.90 LEN=48 TOS=0x00 PREC=0x00 TTL=127 PROTO=TCP SPT=1901 DPT=22 WINDOW=16384 RE =0x00 SYN URGP=0 OPT (020405B401010402)

Re: Redirect to another port

Re: Redirect to another port

спасибо. почитал. но:

iptables -t nat -I PREROUTING -i eth0 -p tcp -d 192.168.2.111 —dport 888 -s 192.168.2.101/24 -j DNAT —to-destination 192.168.2.90:22

iptables -I FORWARD -p tcp -s 192.168.2.101 -d 192.168.2.90 —dport 22 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.2.101 -s 192.168.2.90 —sport 22 -j ACCEPT

Apr 25 17:21:31 gate kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.2.111 DST=192.168.2.101 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.2.90 [SRC=192.168.2.101 DST=192.168.2.90 LEN=48 TOS=0x00 PREC=0x00 TTL=127 PROTO=TCP SPT=2755 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) ]

Re: Redirect to another port

Re: Redirect to another port

понятно. но тем не менее Putty возвращает Connection Timeout.

Apr 26 10:14:02 expire kernel: SFW2-INint-ACC-ALL-INT IN=eth2 OUT= 192.168.2.101 DST=192.168.2.90 LEN=40 TOS =0x00 PREC=0x00 TTL=128 PROTO=TCP SPT=4017 DPT=22 WINDOW=17680 RES=0x00 ACK URGP=0

Re: Redirect to another port

Re: Redirect to another port

2.111 iptables -t nat -I PREROUTING -i eth0 -p tcp -d 192.168.2.111 —dport 888 -s 192.168.2.101/24 -j DNAT —to-destination 192.168.2.90:22 iptables -I FORWARD -p tcp -s 192.168.2.101 -d 192.168.2.90 —dport 22 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.2.101 -s 192.168.2.90 —sport 22 -j ACCEPT

Apr 26 17:48:49 gate kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.2.111 DST=192.168.2.101 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.2.90 [SRC=192.168.2.101 DST=192.168.2.90 LEN=48 TOS=0x00 PREC=0x00 TTL=127 PROTO=TCP SPT=2520 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) ]

2.90 iptables -I INPUT -i eth2 -s 192.168.2.101 -d 192.168.2.90 -p tcp —dport 22 -j ACCEPT iptables -I OUTPUT -o eth2 -s 192.168.2.90 -d 192.168.2.101 -p tcp —sport 22 -j ACCEPT

Источник

Iptables: немного о действии REDIRECT, его ограничениях и области применения

Данная заметка повествует о действии REDIRECT в iptables, его ограничениях и области применения.

Iptables и REDIRECT

Действие REDIRECT предназначено для перенаправления пакетов с одного набора портов на другой внутри одной системы, не выходя за пределы хоста.

Работает REDIRECT только в цепочках PREROUTING и OUTPUT таблицы nat. Таким образом, область применения сводится только к перенаправлению с одного порта на другой. Чаще всего это используется для прозрачного прокси, когда клиент из локальной сети коннектится на 80 порт, а шлюз редиректит пакеты на локальный порт прокси:

Допустим, надо сменить порт приложения только перенаправлением при помощи iptables, не трогая настроек демона. Пусть новый порт будет 5555, а порт приложения 22. Таким образом, надо сделать редирект с порта 5555 на 22.

REDIRECT и удаленный клиент

Первый шаг очевиден и будет таким же, что и в примере выше:

Однако, правило будет работать только для внешних клиентов и только при открытом порте приложения.

REDIRECT и локальный клиент

Предыдущее правило для самого хоста с iptables не сработает, т.к. пакеты с localhost не попадают в таблицу nat. Чтобы кейс сработал на локальной машине — надо добавить редирект в цепочку OUTPUT таблицы nat:

Теперь локальный клиент тоже может подключиться по 5555 порту.

REDIRECT и закрытый порт

Смысл кейса в том, чтобы использовать левый порт, а порт приложения держать закрытым, но если выполнить DROP правило в INPUT цепочке по 22 порту, то 5555 тоже перестанет отвечать. Собственно, хитрость в том, чтобы открыть порт приложения в INPUT цепочке, а дропать его в mangle:

Полный набор правил

Редирект с сетевым и локальным доступом при закрытом порте приложения:

Источник

Linux iptables: Port Redirection Example

H ow do I redirect 80 port to 8123 using iptables?

You can easily redirect incoming traffic by inserting rules into PREROUTING chain of the nat table. You can set destination port using the REDIRECT target.

Syntax

The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:

The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:

Replace eth0 with your actual interface name. The following syntax match for source and destination ips:

Examples:

The following example redirects TCP port 25 to port 2525:

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

In this example all incoming traffic on port 80 redirect to port 8123

Quoting from the iptables man page:

The OUTPUT chain example:

How Do I View NAT Rules?

Type the following command:

How Do I Save NAT Redirect Rules?

Type the following command:

References:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Category	List of Unix and Linux commands
Documentation	help • mandb • man • pinfo
Disk space analyzers	df • duf • ncdu • pydf
File Management	cat • cp • less • mkdir • more • tree
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Linux Desktop Apps	Skype • Spotify • VLC 3
Modern utilities	bat • exa
Network Utilities	NetHogs • dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • glances • gtop • jobs • killall • kill • pidof • pstree • pwdx • time • vtop
Searching	ag • grep • whereis • which
Shell builtins	compgen • echo • printf
Text processing	cut • rev
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

Comments on this entry are closed.

Just came across this one.Never tried but good idea.

gotta love this site.

thanks for the 1000th time 😉

Please check my query and update me if it is possible by iptables or any other software…

I have 2 application servers (i.e. A and B)

A ip is :- 192.168.11.22 and port :- 7013 (single lan card)

B ip is :- 10.10.10.22 and port :- 8014 (single lan card)

Now i want to set port fowarding/ redirection. When any client request to 192.168.11.22:7013 it will redirect to 10.10.10.22:8014 . How it is possible by iptables or any other way ?

I think for nat , two lan cards are required……

and can we pass one machine traffic to other which are on internet via port redirection….?

Thank you! I always forget how to redirect

Well heck. I thought this was my answer but adding the iptables rule to redirect outbound port 25 traffic to port 2525 has no effect. (Ubuntu 10.04)

Mixmaster is giving me cat fits because ISPs have decided that we are not allowed to send RFC compliant e-mail any more. Ever. No matter what. Any suggestions?

Can we see packet , means redirection from port 80 to port 3128 or redirect of confiugred ports in iptables rule.

My question is that , is there any tool or utility, by use of it we can see how packet handle by iptables.

How about redirecting an internal request to go out over a different interface.

I got bond0 and wlan0.

The request for a specific server let’s call it foobar on port 443. I always want to go out over wlan0 and never over bond0.

God bless you. I’ve been looking for these!

all connections are being redirected to the proxy … Why, if it is set different from the 172.16.0.0/12 and those connections I’m also going through the proxy

$IPTABLES -A PREROUTING -t nat -p tcp -i eth2 -s 10.18.83.0/24 -d ! 172.16.0.0/12 -m multiport –dports 80,443 -j DNAT –to 172.19.100.206:3128

Thanks, this was very helpful 🙂

Hi, I’ve got a quite funny setup. I connect with ssh to server1 and establish a tunnel. Packets are generated I mark the packets on the OUTPUT chain and redirect them with ip route through a vpn gateway. This works fine.

But I want to redirect the port from 80 to 3028 and this does not work on the output chain. The rule is ignored. How can I redirect the port on the Postrouting chain?

single rule doesnt work if You have a big script. Could You please publish complete firewall script with all settings ?

Does this syntax guarantee the return path from $dstPortNumber back to $srcPortNumber as well? I tried this out and it seems that my client can receive packets on the dstPort just fine, but those sent back are lost somehow.

Can you do it without iptables?

every packet arriving to port 25 will be forward to 2525, but what happens to packets arriving to port 2525? I would like to redirect them to 25, should I also add this rule?

iptables -t nat -A PREROUTING -i venet0 -p tcp –dport 1:20 -j REDIRECT –to-port 411
following request:
iptables: No chain/target/match by that name.

You want to redirect 2525 -> 25, and 25 -> 2525 – why on earth would you think that’s a great idea?

I am trying to redirect request on port 80 to 8080 (as tomcat is listening on this);

Following are the rules I added;

iptables -I INPUT -p tcp –dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080

But, I am unable to see the tomcat page when I hit http://xxx.xx.xx.xx/ from outside.

But, when I also add the following in the IPTABLES, it works;
iptables -I INPUT -p tcp –dport 8080 -j ACCEPT

But, my question is why do I also need to expose port 8080. Because, that way http://xxx.xx.xx.xx:8080/ and http://xxx.xx.xx.xx/ would both work.

could someone help me with a better solution in this regard.

As far as I know the PREROUTING rules are applied before the INPUT rules. More in general the rules from the nat table are applied before the rules in the filter table. So, in your case, any packet going to port 80 is redirected to port 8080 (iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080) and then it is filtered by the default DROP policy of the INPUT chain, which I assume you are using, in fact it doesn’t match the ACCEPT rule on port 80 (iptables -I INPUT -p tcp –dport 80 -j ACCEPT).

You have already verified it, as you said if you add a rule to accept INPUT packets on port 8080, both http://xxx.xx.xx.xx:8080/ and http://xxx.xx.xx.xx/ work properly. The former because it connects to port 8080 which is open, the latter because it connects to port 80 and gets redirected to port 8080 which is open.
To further verify it you should run iptables -L -n -v more times and check that the packet counter of the rule iptables -I INPUT -p tcp –dport 80 -j ACCEPT remains 0 even if you connect to http://xxx.xx.xx.xx/ between a run and the other.
As last option, for debugging purposes, you could add a LOG rule for packets on the 80 port and study the logs to see if any packet is accepted (syntax is easy, where the logs are depends on your system). Just remember to add it in the table just before the related ACCEPT rule and not after, otherwise the LOG rule would be ignored.

As last thing, don’t worry about how scary and difficult iptables can seem as everything I’ve told you I’ve learned this afternoon just by googling around and the good old trial and error 😉
Good luck

Hey I need help in port Redirection
This is my setup and it does not work
#iptables -A FORWARD -i eth1 -o eth0 -p tcp –dport 3390 -d 192.168.200.2 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -i eth1 –dport 3389 -j DNAT –to 192.168.200.2:3389
I have ubuntu server 12.04 with two network card
This eth0 LAN
This eth1 WAN

I need to access from any to the addresses 192.168.200.2 Port 3390 and redirect to Port 3389 to (RDP)
My firewall is disabled

Is there a way to redirect only the allowed traffic to a specific port?
Either I am able to redirect or drop but not both of them together.

doesn’t make the config persistent, that just dumps out the running config. You’ll need to backup

/etc/sysconfig/iptables then run

to make the running config persistent accross reboots

Источник