Iptables v1.4.21: Couldn’t load match `-d’:No such file or directory

firewalliptableslinux-networkingport-forwarding

i am running kerenl 3.14.18 and using iptables 1.4.21, built with these options –static-enable –disable-shared.
when i run this command:
/sbin/iptables -A PREROUTING -m -d 127.3.0.2/24 -j DNAT –to-destination 10.0.0.1 -p udp -dport 69
i get this error message:
iptables v1.4.21: Couldn't load match `-d':No such file or directory

can any help explain what i am missing?
thank you in advance.

Best Answer

hi, i have a host system with 2 interfaces, eth0 and eth1. eth0 will receive packets with ip of 127.3.x.x. i want to forward these packets to go out of eth1 to a server (10.0.1). eth1 has ip of 192.168.0.100. the server needs to see the packets as if they are coming from the host (192.168.0.100). i think i can remove -m flag, but when i do, i am getting this error: iptables v1.4.21: multiple -d flags not allowed

In order to accomplish this, you would use the followng iptables rules:

iptables -t nat -A PREROUTING -d 127.3.0.2/24 -p udp --dport 69 -j DNAT --to-destination 10.0.0.1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.100

But you should replace 127.3.0.2/24 with either a single IP (i.e. 127.3.0.2) or a valid CIDR range (e.g. 127.3.0.0/24). 127.3.0.2/24 is not a valid CIDR range as a /24 would cover 127.3.0.0-127.3.0.254. This would also redirect any traffic to any IP in that range to port 69 on 10.0.0.1.

Also, since port 69 is TFTP, I feel obliged to mention--if you are trying to use this for a PXE booting or other DHCP-based solution there is a strong likelihood it will not work as most vendors have trouble traversing subnets using PXE.

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Linux Port Forwarding to different IPs

Unless I am misunderstanding, why not simply map different target ports on the Linux Server to port 80 on the backend devices. For example:

Netbook --> 192.168.1.1:8080 (Linux Server) --> 192.168.0.2:80 (NAS)
Netbook --> 192.168.1.1:8081 (Linux Server) --> 192.168.0.1:80 (Router)

You already have the commands you need, you just need to set --dport to a different target port on the Linux Server, while specifying port 80 in --to-destination.

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Linux Port Forwarding to different IPs

Related Topic