I want to forward trafic destined at port 100 to 127.0.0.1:101. The actual goal is to forward to a different IP:PORT, but for the sake om just getting stuff to work I have a socket listening on *:100.
From this site, and google "iptables port forwarding howto", I've been lead to belive the syntax is as follows, which is part of my ruleset.
#Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Flush ruleset
iptables -F
iptables -t nat -F
iptables -t filter -F
#Allow local access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow ESTABLISHED,RELATED
iptables -A INPUT -i eth0 -m sate --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT 1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow outbound SYN requests
iptables -A OUTPUT -o eth0 -m state --state NEW -j accept
#### The routing related
# Allow SYN requests for the port-to-be-forwarded
iptables -A INPUT -i $INET_IFACE -p tcp --dport 100 -m state --state NEW -j ACCEPT
# Route to 127.0.0.1:101
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 100 -j DNAT --to-destination 127.0.0.1:101
# Accept the forward
iptables -A FORWARD -t filter -i eth0 -p tcp --dport 101 -j ACCEPT
# Accept all related in forward
iptables -A FORWARD -t filter -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
My sysctl settings are:
# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 1
# cat /proc/sys/net/ipv4/conf/eth0/forwarding
1
nmap states the port is closed for connect() and SYN scans, but open|filtered for FIN and Xmas scans.
What am I missing ?
Best Answer
Solution was partly based om wolfgansz. As I was not originally registered as a user on serverfault, and have since cleared my cookies, it doesnt seem that I can just post a comment.
Default policies are DROP for INPUT and OUTPUT chains, and ACCEPT for FORWARD.
And finally to use it add_forward "My forward", "192.168.0.101" 100 101
$MYIP is defined as the eth0 public IP $VMNETIP is the vmware NAT interface
So all in all, this enables incoming connections on eth0:100 to be bridged through vmnet nat interface to a virtual machine..
Hopefully, this can help someone else as well.
The primary tool for debugging was tcpdump on both the host and guest system
"tcpdump -i eth0 port 100" for listening on the host. This revealed a problem with me setting an incorrect IP in the POSTROUTING rule which made eth0 just drop the packets.
Thanks for the help.