iptables redirect port connection to different host:port, continued

mfoley · 09-15-2023, 04:06 PM

I want to route LAN request to host 192.168.0.2:1234 to host 192.168.0.99:4567. I've tried the following iptables rule on host 192.168.0.2:

Code:

iptables -t nat -A PREROUTING -s 192.168.0.0/24 --protocol tcp --dport 1234 -j DNAT --to-destination 198.162.0.99:4567

# (from some host other than 192.168.0.2 ...)

$ telnet 192.168.0.2 1234
Trying 192.168.0.2...
telnet: connect to address 192.168.0.2: Connection timed out

I'm no iptables expert. Maybe I should use the FORWARD table instead or in addition to?

Help appreciated.

nini09 · 09-15-2023, 08:24 PM

You need to add another rule.
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.99 --dport 4567 -j SNAT --to-source 192.168.0.2:1234

mfoley · 09-25-2023, 09:48 PM

Thanks,but still not working. I'm un-obfuscating my IP and ports ... in case that helps. Maybe I'm still doing something wrong:

Code:

iptables -t nat -A PREROUTING -s 192.168.0.0/24 --protocol tcp --dport 1903 -j DNAT --to-destination 198.162.0.4:3389
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.4 --dport 3389 -j SNAT --to-source 192.168.0.2:1903

Then on LAN host 192.168.0.3:

Code:

$ telnet 192.168.0.2 1903
Trying 192.168.0.2...
telnet: connect to address 192.168.0.2: Connection timed out

If I try directly to 192.168.0.4 from 192.168.0.3 I get connected:

Code:

$ telnet 192.168.0.4 3389
Trying 192.168.0.4...
Connected to 192.168.0.4.
Escape character is '^]'.

nini09 · 09-26-2023, 03:02 PM

Use tcpdump tool to sniffer packet on 192.168.0.3, 192.168.0.2 and 192.168.0.4 to find out where the packet is wrong. And then you can add more iptable rule.