1

I'm trying to redirect a single port to a local server via IPtables. Currently I have the following rules:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 55555 -j DNAT --to-destination 10.188.44.125:3306
iptables -t nat -A POSTROUTING -j MASQUERADE

When I have these rules in place, my rsync process of ssh fails. I'm assuming something here is conflicting, but I'm not sure what. Any suggestions? Thanks!

Update: Here are the rules I have in place to allow the rsync over ssh connection. My input policy is set to drop. Other policys are set to accept.

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT

Update 2

Here are the results of iptables-save for the nat:

*nat
:PREROUTING ACCEPT [8:468]
:INPUT ACCEPT [7:408]
:OUTPUT ACCEPT [2:134]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -p tcp -m tcp --dport 53306 -j   DNAT --to-destination 10.183.42.125:3306
[2:134] -A POSTROUTING -j MASQUERADE
COMMIT
Aaron A
  • 229
  • 2
  • 13
  • Check the full rule set (iptables-save -c) and rule counters. Counter of DNAT rule should be non-zero. Also check the rules in the FORWARD chains. Then check the conntrack table - you should have entry for this translation, but only first packet of new connection have been passed through nat table. Then check the traffic with tcpdump/wireshark on both interfaces (external and internal). Next step - check the traffic on the target host with sniffer. You can find the source of issue at every of this steps. – Anton Danilov Jan 15 '16 at 22:18
  • i added those results above. I'm guessing there is something wrong there? The forward policy is set to accept, with no rules in there currently. – Aaron A Jan 16 '16 at 14:18
  • Possible duplicate of [How to do the port forwarding from one ip to another ip in same network?](http://serverfault.com/q/586486/214507) – kasperd Jan 16 '16 at 15:06

1 Answers1

0

Your DNAT and MASQUERADE rules are missing an interface specification. Without these, they attempt to work on all traffic, in both directions, which is not what you want.

A DNAT rule should specify the inbound interface (e.g. -i enp2s1) on which the connection arrives; generally this is the WAN/Internet facing interface. And an SNAT or MASQUERADE rule should specify the outbound interface (e.g. -o enp2s1) on which traffic departs; again this is usually the WAN/Internet facing interface.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940