Aaron A asked:
I’m trying to redirect a single port to a local server via IPtables. Currently I have the following rules:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 55555 -j DNAT --to-destination 10.188.44.125:3306 iptables -t nat -A POSTROUTING -j MASQUERADE
When I have these rules in place, my rsync process of ssh fails. I’m assuming something here is conflicting, but I’m not sure what. Any suggestions? Thanks!
Update: Here are the rules I have in place to allow the rsync over ssh connection. My input policy is set to drop. Other policys are set to accept.
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
Here are the results of iptables-save for the nat:
*nat :PREROUTING ACCEPT [8:468] :INPUT ACCEPT [7:408] :OUTPUT ACCEPT [2:134] :POSTROUTING ACCEPT [0:0] [0:0] -A PREROUTING -p tcp -m tcp --dport 53306 -j DNAT --to-destination 10.183.42.125:3306 [2:134] -A POSTROUTING -j MASQUERADE COMMIT
Your DNAT and MASQUERADE rules are missing an interface specification. Without these, they attempt to work on all traffic, in both directions, which is not what you want.
A DNAT rule should specify the inbound interface (e.g.
-i enp2s1) on which the connection arrives; generally this is the WAN/Internet facing interface. And an SNAT or MASQUERADE rule should specify the outbound interface (e.g.
-o enp2s1) on which traffic departs; again this is usually the WAN/Internet facing interface.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.