Iptables DNAT single port

Aaron A asked:

I’m trying to redirect a single port to a local server via IPtables. Currently I have the following rules:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 55555 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -j MASQUERADE

When I have these rules in place, my rsync process of ssh fails. I’m assuming something here is conflicting, but I’m not sure what. Any suggestions? Thanks!

Update: Here are the rules I have in place to allow the rsync over ssh connection. My input policy is set to drop. Other policys are set to accept.

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s -d -i lo -j ACCEPT

Update 2

Here are the results of iptables-save for the nat:

[0:0] -A PREROUTING -p tcp -m tcp --dport 53306 -j   DNAT --to-destination

My answer:

Your DNAT and MASQUERADE rules are missing an interface specification. Without these, they attempt to work on all traffic, in both directions, which is not what you want.

A DNAT rule should specify the inbound interface (e.g. -i enp2s1) on which the connection arrives; generally this is the WAN/Internet facing interface. And an SNAT or MASQUERADE rule should specify the outbound interface (e.g. -o enp2s1) on which traffic departs; again this is usually the WAN/Internet facing interface.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.