2
I did port forwarding following this tutorial: http://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111
iptables -t nat -A POSTROUTING -j MASQUERADE
But i want to MASQUERADE just the ports with the forwardings, because in the same server i have a webserver and if i MASQUERADE all the traffic the web server stops working.
Any idea?
SOLUTION:
iptables -t nat -A POSTROUTING -d 2.2.2.2 -p tcp --dport 1111 -j SNAT --to-source 2.2.2.1
Just apply the filter to match only outgoing packets to port from port iptables -t nat -A POSTROUTING - p tcp --sport 1111 -j MASQUERADE – Zalmy – 2015-12-10T13:16:53.210
tried adding a tighter match rules? For example, only masquerade when traffic leaves specific interface: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE or even comes from specific network: iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j MASQUERADE and so on – Nikita Kipriyanov – 2015-12-10T13:16:57.630
@Zalmy it makes sense for me, but it's not working. BTW you have a typo
iptables -t nat -A POSTROUTING -p tcp --sport 1111 -j MASQUERADE
(a space between - p) This was not the error, because i set up like this2 MASQUERADE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:40002
and it doesn't work, any idea?? Thanks – user2528085 – 2015-12-10T15:14:25.153... er, hang on, you're trying to source NAT everything you've already DNAT'd? Why? The DNAT should already take care of the reply traffic, that part of iptables connection tracks, it has to or no NAT works. If the DNAT is a standard port forward to an internal subnet, and you just need to MASQ that internal subnet, that I would understand and just filter for that. The blanket MASQ you have up there with no criteria would run MASQ in both directions, and it's no wonder everything screws up. – Radhil – 2015-12-11T02:29:55.287
OK, I've read the tutorial, and I've actually not seen NAT used this way. I suppose it could be, but it's not a redirection or a port forward in so much as it's using the box as a middleman translator, and it's not a great solution because it convinces all clients that it runs the service and the server that it's the only client. Zalmy has the right idea but the rule should be matching the new dport or destination IP, which you've already set in the DNAT. so try -t nat -A POSTROUTING -d 2.2.2.2 -p tcp --dport 1111 -j MASQUERADE. Will write up clearer as an answer if I understand correctly. – Radhil – 2015-12-11T02:57:02.433
SOLUTION:
iptables -t nat -A POSTROUTING -d 2.2.2.2 -p tcp --dport 1111 -j SNAT --to-source 2.2.2.1
– user2528085 – 2015-12-11T15:41:41.803Why you solution does not have
--sport
? – Arnold Roa – 2017-03-27T01:45:03.123