Linux – iptables port forwarding for active UDP connections

iptableslinuxnetworkingport-forwardingudp

I am trying to set up port forwarding on UDP from port 12345 to port 54321 using the following:

iptables -t nat -A PREROUTING -p udp -i eth0 -d 192.168.0.1  --dport 12345 -j DNAT --to 192.168.0.1:54321

iptables -A FORWARD -p udp -i eth0 -d 192.168.0.1 --dport 54321 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

This works fine for new connections, however, it wouldn't work for connections currently active.

To clarify what I mean, let's say that before adding the rules, there is an active connection from 192.168.0.2:55555 <—> 192.168.0.1:12345, and I am trying to redirect all incoming connections on 192.168.0.1:12345 to 192.168.0.1:54321.

After adding the above two rules, all other packets destined to 192.168.0.1:12345 are received at 192.168.0.1:54321 except the ones from 192.168.0.2:55555.

I guess the state of the connection plays a role in this. How can I solve this and get the packets from 192.168.0.1:55555 destined to port 12345 get delivered to port 54321?

Best Answer

I figured out how to do it!

You need to use the REDIRECT on NAT! However before that you have to erase the entry corresponding to this connection from conntrack! Something like the following

conntrack -D -p udp -d  192.168.0.1 --dport=55555

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Linux Port Forwarding to different IPs

Unless I am misunderstanding, why not simply map different target ports on the Linux Server to port 80 on the backend devices. For example:

Netbook --> 192.168.1.1:8080 (Linux Server) --> 192.168.0.2:80 (NAS)
Netbook --> 192.168.1.1:8081 (Linux Server) --> 192.168.0.1:80 (Router)

You already have the commands you need, you just need to set --dport to a different target port on the Linux Server, while specifying port 80 in --to-destination.

Related Topic