0

I want to forward traffic with iptables without showing a different ip/port to sending host.

My application listens on host x.x.15.42, port 23555 using TCP. The client will be connecting to x.x.15.42:5555. I want the connection to be forwarded to port 23555 without exposing that port to the client.

I already tried using DNAT:

iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DNAT --to-destination x.x.15.42:23555

But to the client it will show that they're connecting to port 23555.

I also tried using REDIRECT, but for some reason that doesn't work at all. The client can't connect.

iptables -t nat -A PREROUTING -p tcp --dport 5555 -d x.x.15.42 -j REDIRECT --to-port 23555

How do I forward this traffic while making it look like the application is listening on port 5555?

mrmc
  • 11
  • 3

2 Answers2

1

So the first firewall rule I used works:

iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DNAT --to-destination x.x.15.42:23555

The only problem was indeed that the server was telling the client to connect to port 23555 instead of port 5555 like I wanted. Changing that on the server part fixes the issue.

mrmc
  • 11
  • 3
0

I'm only a dabbler in iptables, so could you try this:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 5555 -j DNAT --to x.x.15.42:23555
iptables -A FORWARD -p tcp -d x.x.15.42 --dport 23555 -j ACCEPT

Both lines are needed (I think it's the lack of the FORWARD option that's causing this), although not sure if the interface option -i eth0 is necessary

Source reference

Smock
  • 142
  • 7
  • I tried this. On the first connection it shows port 5555, but after that it will change to port 23555. I believe this might be caused by the application sending the real port to the client during the communication. I'm going to try this with a different application like httpd to see if the firewall NAT rules correctly apply on it. – mrmc Aug 23 '20 at 10:48