0

I have router based on linux (BusyBox). I can login to terminal by telnet. I want to forward wan port to ip_external:port

for example:

my wan ip (on my router):77.30.109.251

my wan port (on my router):1188

my external remote ip (on my vps):92.222.75.159

my remote port (on my vps):1180

i just try to redirect 77.30.109.251:1188 to 92.222.75.159:1180 by iptables and that is all

i have tried by this commend but still appear port as filtered when i test it on ipfingerprints.com/portscan.php ip:77.30.109.251 port:1188 

iptables -t nat -A PREROUTING -i ppp111 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180
iptables -t nat -A PREROUTING -p tcp --dport 1180 -j DNAT --to 92.222.75.159:1180
iptables -t nat -A POSTROUTING -p tcp -d 92.222.75.159 --dport 1180 -j MASQUERADE
user3772028
  • 101

1 Answers1

0

To redirect all incoming tcp-traffic from interface ppp111 with destination IP 77.30.109.251 and destination port 1188 to IP 92.222.75.159 and port 1180 it is enough to use this iptables rule:

iptables -t nat -A PREROUTING -i ppp111 -d 77.30.109.251 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180

You also need to check if there is a rule that accepts forwarding from ppp111 to external interface and if forwarding is enabled in the kernel:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

1 means it is on. If you see = 0 you can do this sysctl -w net.ipv4.ip_forward=1.

If you want to masquerade traffic, use -o option (output interface):

iptables -t nat -A POSTROUTING -p tcp -d 92.222.75.159 --dport 1180 -o $EXTERNAL_IFACE -j MASQUERADE

It's good practice to use -i (input interface) option also, to prevent masquerading from untrusted networks.

If you use this:

iptables -t nat -A PREROUTING -i ppp111 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180

then you redirect all TCP traffic you have from interface ppp111 with destination port 1188 to 92.222.75.159:1180. You don't check destination IP address, so traffic for 8.8.8.8:1188 will also be redirected via this rule.

So, be carefull and accurate when writing firewall rules!

AlexZ
  • 41
  • 7
  • Thank you for your help but port is still apear filtering when i test it on this site http://www.ipfingerprints.com/portscan.php this is out of commend(iptables-save > /tmp/iptables.txt) http://pastebin.com/EuHZmGAU – user3772028 Jan 30 '17 at 22:52
  • Show "iptables-save" and "ip route" output – AlexZ Jan 30 '17 at 23:03
  • http://pastebin.com/EuHZmGAU – user3772028 Jan 30 '17 at 23:04
  • Wow! What router is it? I see a rule, that redirects all ppp111 traffic except icmp: PREROUTING_DMZ -i ppp111 ! -p icmp -j DNAT --to-destination 192.168.1.254 – AlexZ Jan 30 '17 at 23:16
  • my router is Alcatel_Lucent I-240W-A. 192.168.1.254 i have add it by web interface. it allow me to redirect LAN ips and ports but deos't allow me to external ip. every external ips ports redirect are filtering – user3772028 Jan 30 '17 at 23:26
  • Easy way to check if it work is to add rules at first positions: use "iptables -t nat -I PREROUTING 1" instead of "-A". But if there is a front end / web ui - it could rewrite rules, so you won't see the result at all. Did you try to add rules you need via web interface? – AlexZ Jan 30 '17 at 23:29
  • i can login by telnet to my router – user3772028 Jan 30 '17 at 23:33
  • Do you mean i need just to add this line by termenal? "iptables -t nat -I PREROUTING 1 -i ppp111 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180" – user3772028 Jan 30 '17 at 23:38
  • Yes, it will set this rule on first position inside PREROUTING chain. Better way is to use web interface, because it will store rules added by web, but not by shell. It may lead to conflict if you will use shell. – AlexZ Jan 30 '17 at 23:45
  • i have stoped PREROUTING_DMZ 192.168.1.254 from my web interface Then i did "iptables -t nat -I PREROUTING 1 -i ppp111 -p tcp --dport 1190 -j DNAT --to 192.168.1.254:80" Then port 1190 is opend http://2.88.87.93:1190/ but when i do "iptables -t nat -I PREROUTING 1 -i ppp111 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180" 1188 port is filtering http://2.88.87.93:1188/ New my (iptables-save > /tmp/iptables.txt) http://pastebin.com/KAuuwpJt – user3772028 Jan 31 '17 at 00:52
  • can you help me to achieve that, Please? – user3772028 Jan 31 '17 at 14:47
  • Ok i didn't find any solution for that problem. Answer AlexZ is very helpful for me but i think there is something in my router that prevent external redirection. Thank you AlexZ – user3772028 Jan 31 '17 at 20:52