local redirect IP Tables dnat external IP from Port 443 to 2443

happyjack · 03-25-2014, 09:30 AM

Hello all,
I have a problems and I am in need of some assistance. For transparency sake, I have posted this question on stackoverflow.com

I have a situation that I need some assistance with. I have a program that connects to an external device over 443. The customer has configured the port of the device to 2443. Currently I am running Ubuntu 12.04 and I need to be able to connect to this device with my program. I have tried to add some iptables for DNat but I am running into some problems.

The computer that I am running the program on is Ubuntu 12.04 eth0 192.168.0.12 I need to have my local computer ('iptables') translate the request 173.15.x.x:443 to 173.15.x.x:2443. This program that I am running is not web based so a html proxy will not work. I would like my local computer (ubuntu 12.04) to do a forward or translation for port 443 -> 2443 out and translate 2443 -> back in again.

Here are the IP tables that I have tried:

Code:

iptables -t nat -A INPUT  -j LOG --log-level 7
iptables -t nat -A PREROUTING  -j LOG --log-level 7
iptables -t nat -A POSTROUTING  -j LOG --log-level 7
iptables -t nat -A OUTPUT  -j LOG --log-level 7
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.12 -d 173.15.x.x --dport 443 -j DNAT --to-destination 173.15.x.x:2443
iptables -t nat -A POSTROUTING -p tcp --dport 2443 -j MASQUERADE

I have been using firefox to verify the redirect (by looking at the logs)

Code:

Mar 24 13:24:42 sat-utils kernel: [ 1866.123026] IN= OUT=eth0 SRC=192.168.0.12 DST=173.15.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=16937 DF PROTO=TCP SPT=40025 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 24 13:24:42 sat-utils kernel: [ 1866.123037] IN= OUT=eth0 SRC=192.168.0.12 DST=173.15.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=16937 DF PROTO=TCP SPT=40025 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 24 13:24:42 sat-utils kernel: [ 1866.185679] IN= OUT=eth0 SRC=192.168.0.12 DST=173.15.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=54119 DF PROTO=TCP SPT=40026 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 24 13:24:42 sat-utils kernel: [ 1866.185692] IN= OUT=eth0 SRC=192.168.0.12 DST=173.15.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=54119 DF PROTO=TCP SPT=40026 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0

I am not sure what I am doing wrong. Any advice would be helpful and grateful. Thanks,
HappyJack

estabroo · 03-25-2014, 10:12 AM

Since it is a local machine that you want redirected your dnat rule needs to be in nat OUTPUT instead of nat PREROUTING. The rules you put in place will work for remote machines routing through this one.

iptables -t nat -A OUTPUT -p tcp -s 192.168.0.12 -d 173.15.x.x --dport 443 -j DNAT --to-destination 173.15.x.x:2443

also it being the local machine means you shouldn't need the masquerade rule either.

happyjack · 03-25-2014, 05:51 PM

Thanks for the help, that worked great. I was thinking that my direction was wrong and yes, OUTPUT makes so much sense.

Thanks again,
HappyJack

Quote:

Originally Posted by estabroo

Since it is a local machine that you want redirected your dnat rule needs to be in nat OUTPUT instead of nat PREROUTING. The rules you put in place will work for remote machines routing through this one.

iptables -t nat -A OUTPUT -p tcp -s 192.168.0.12 -d 173.15.x.x --dport 443 -j DNAT --to-destination 173.15.x.x:2443

also it being the local machine means you shouldn't need the masquerade rule either.