# iptables port forwarding

## Aeros

Hi again,

Stupid question maybe, but can someone please help:

I want to forward all incoming connections on port 25 to an external server, on the same port. At the moment I use:

```

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.0.0.1 --dport 25 -j DNAT --to EXTERNALSERVER:25

```

EXTERNALSERVER is of course the IP of the external server. This, however, doesnt seem to work. Any idea what I'm doing wrong?

----------

## jballou

Try

```

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.0.0.1 --dport 25 -j DNAT --to-destination EXTERNALSERVER:25 

```

Note the --to-destination

If that doesn't do it let me know, the rule will at least be valid then.

----------

## Aeros

Thanks  :Smile:  Doesn't work, however.

----------

## jballou

Is there anything before it that precludes it's execution? Try tcpdump or -j LOG and see what the packet info is, maybe something doesn't jibe. It seems it should work. Or it could be UDP traffic (if I right in assuming this is SMTP that wouldn't make a difference anyways). This will allow any protocol on port 25, it'll be mapped to the same port on EXTERNALSERVER. If not let's see the rest of your rules.

```

iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1 --dport 25 -j DNAT --to-destination EXTERNALSERVER

```

----------

## tutaepaki

the "-d 10.0.0.1" suggests that this is traffic on an internet network being redirected out to an Internet server?

if so, do you have a rule allowing port 25 to the external server in your FORWARD chain?

and also, a source nat in your POSTROUTING chain so the externalserver can find it's way back to you?

----------

## Aeros

Eish, no I dont. Sorry to ask, but can you tell me what these should look like?

----------

## tutaepaki

for the FORWARD

```
iptables -A FORWARD -i eth0 -p tcp --dport 25 -d EXTERNALSERVER -j ACCEPT
```

and for the source NAT (if you have a static external IP)

```
iptables -t nat -A POSTROUTING -o eth? -j SNAT --to:EXTERNALIP
```

or if you've a dynamic external IP

```
iptables -t nat -A POSTROUTING -o eth? -j MASQ
```

If your internal hosts already have internet access, then you must already have the source nat rule in place.

----------

## Aeros

Thanks  :Smile:  I got another question related to this though.. a tricky one, actually.

I have a dyndns updater client running on the Linux box. It successfully updates the DNS with my ADSL router's outside (Internet) IP. On the router, I do the following forwarding configuration:

Public Port Start: 22

Public Port End: 22

Private Port: 22

Forward To: 10.0.0.1 (Linux Box)

The IP of the router is 10.0.0.2. Now, I can connect from my office PC (which is 10.0.0.3) if I connect it directly to 10.0.0.1 on port 22, but I cannot connect if I connect to the DNS address on port 22. I even tried to connect to the router's Internet IP on port 22, but either it doesn't forward the port, or it does and Linux refuses the connection.

Is there any reliable way to find out where the glitch is?

----------

## tutaepaki

 :Smile: 

This is most probably one of the very common errors people come across with home networking...

What is happening, is that when you connect to port 22 on the external IP, the router will forward you back to the linux box. The linux box will recieve a connection request from 10.0.0.3, which is the SAME network, so it'll send the response directly back to 10.0.0.3, and the source address will be the 10.0.0.1 address of the linux box. Now, that's NOT the address you tried to connect to, so you PC will drop the packet.

You've got a couple of options;

1. Have a second name for your linux box on the local network, (like linux-local) or use the IP address when connecting locally

2. Add some source nat to the router if you can so that when the router forward the connection on, it translates the source address to it's own IP, that way the linux box will send responses to the router, which will "un-nat", and everything will be fine. A lot of SOHO ADSL routers don't seem to be able to do snat on the internal interface.

----------

## Aeros

Well, how I see it, is that the Linux box has to send responses back to the Internet IP that sent the port 22 request in the first place. For instance, if I am at a remote location, with IP 165.146.123.456 and I open a port 22 connection to myhost.servehttp.com (dynamic dns pointing to my router's Internet IP), the connection is forwarded to the linux box. The source of this connection is still 165.146.123.456, correct? Which means the Linux box will send its replies back to that address, which it should. *ponders*.

By the way, even if Linux cant send the responses back - iptraf is surely supposed to show the incoming connection atleast? Because it doesn't. Yet I cant imagine that I made a mistake with my router port forwarding.

----------

## tutaepaki

When you connect from your office PC on 10.0.0.3, that is the source IP the linux box will see, and so, will be the address it will respond to.

You did not mention whetheryou've tried to connect to the DNS or external IP from another external address, does that work?

----------

## Aeros

Oh, thats probably where we misunderstood each other.

I can connect from within the LAN just fine, its when I connect from an external IP that it doesnt work. In other words, the route I'm following is:

External PC (at work) -> ADSL router (at home) -> Linux box (at home)

And somehow its not completing that route.

----------

## tutaepaki

ah!   :Confused: 

Are you able to rule out something to do with your work connection? For example does it allow outbound ssh, (I know mine doesn't) or do you possibly have to go via a proxy of some sort to get out of your work LAN. There's a number of things you can try but what might wrok depends on what configuration you have at work. (Also, if it is a work configuration, are you willing to attempt to bypass what is probably a policy requirement? This can have serious consequences)

----------

## Aeros

Well we are behind a proxy at work, but I removed it and established a direct Internet connection to test, still didn't work.

Also tested from home, using my ADSL router's Internet IP, and it didn't reach the Linux box either. Now, the funny thing is...

iptraf doesnt show the connection coming into the Linux box at all... would it show it if Linux dropped it, or not? Because (and I'm probably wrong here), I reckon that iptraf would atleast see the connection coming in before it gets dropped. Although I can't imagine why it would get dropped, all my iptables policies are set to accept from/to everywhere.

This might then point to my ADSL router, but I cant imagine why it wouldn't forward the port. Am I making a logic mistake in this configuration (on the DSL router):

Public port start: 22

Public port end: 22

Private port: 22

Forward to: 10.0.0.1 (Linux box)

Looks right? Hm, any other way that one can test?

(Btw, for interest sake, I also set the router to forward incoming port 81 to the Linux's port 80, for the webserver. Same for FTP (port 21 and 22 for secure FTP), and none of those work either.

Bleh  :Sad: 

----------

## tutaepaki

I've just looked at my iptraf logs, and all the connection attempts show up there, even if iptables is dropping them, so I think you're right in your suspision that the connection is never getting to the linux box.

The logic of your forwarding in the router looks sound. Is there perhaps some firewalling in the router as well which needs to permit the connection? or at least, some log of what it might be dropping?

It's also a possibility that your ISP is dropping the connection, although, that it doesn't work from your internal network, out to the router and back makes that less likely. (assuming you've got inbound nat enabled on the router too, coz without that, you can't connect that way)

Another thing you could do is run something like tcptroute or hping on your work machine to trace the tcp connect and see how far it gets. (tcptroute is a version of traceroute that sends tcp packets rather than udp/icmp, hping does that, and a bunch more)

----------

## Aeros

Well the ADSL router is one of those Marconi Broadband routers.. its quite useless when it comes to packet and fault logging.

Will play around with it, its got a section "Virtual Server" (which I've always used for port forwarding, successfully), and a section "NAT". Maybe, just maybe, the solution might be there, although that'd be a mystery.

----------

