Iptables DNAT single port

Aaron A asked:

I’m trying to redirect a single port to a local server via IPtables. Currently I have the following rules:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 55555 -j DNAT --to-destination 10.188.44.125:3306
iptables -t nat -A POSTROUTING -j MASQUERADE

When I have these rules in place, my rsync process of ssh fails. I’m assuming something here is conflicting, but I’m not sure what. Any suggestions? Thanks!

Update: Here are the rules I have in place to allow the rsync over ssh connection. My input policy is set to drop. Other policys are set to accept.

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT

Update 2

Here are the results of iptables-save for the nat:

*nat
:PREROUTING ACCEPT [8:468]
:INPUT ACCEPT [7:408]
:OUTPUT ACCEPT [2:134]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -p tcp -m tcp --dport 53306 -j   DNAT --to-destination 10.183.42.125:3306
[2:134] -A POSTROUTING -j MASQUERADE
COMMIT

My answer:


Your DNAT and MASQUERADE rules are missing an interface specification. Without these, they attempt to work on all traffic, in both directions, which is not what you want.

A DNAT rule should specify the inbound interface (e.g. -i enp2s1) on which the connection arrives; generally this is the WAN/Internet facing interface. And an SNAT or MASQUERADE rule should specify the outbound interface (e.g. -o enp2s1) on which traffic departs; again this is usually the WAN/Internet facing interface.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.