# NAT server via iptables + port forward via proxy

## orion777

Good day!

I need to route single port (say 2222) over proxy (will try rinetd, if not - then shadowsock or haproxy). All other traffic should be routed over typical NAT server.

The serves setup is as follow:

WAN side: eth1 192.168.8.11

LAN side: br0 192.168.10.1 (br0 has been made to be able to start wlan0 in the access point mode by using hostapd) 

The NAT server does not require any super security, so I was trying to make simple NAT via netfilter/iptables

```
pi64 /etc # iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

pi64 /etc # iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT

pi64 /etc # iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT

pi64 /etc # iptables -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11

iptables: No chain/target/match by that name.

```

Since I feels like zero in iptables, I can't deal with this error   :Embarassed:   and asking for help.

Further, port 2222 should be redirected by proxy, and NOT by the NAT, but I'm unsure how to exclude port 2222 from the NAT and forward it to the local proxy.

Thank you.

----------

## Hu

POSTROUTING is in the nat table, not the filter table.  You did not specify -t table, so the default is filter.  Add -t nat to your iptables command.

If that still does not work, you might be missing support for the SNAT target.  It is governed by the Kconfig symbol NETFILTER_XT_NAT.

For user-space interception, you want the REDIRECT target.  That requires the Kconfig symbol NETFILTER_XT_TARGET_REDIRECT.

----------

## orion777

Okay, so

```
pi64 ~ # iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT

pi64 ~ # iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT

pi64 ~ # iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11

pi64 ~ # iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  192.168.10.0/24      0.0.0.0/0

ACCEPT     all  --  0.0.0.0/0            192.168.10.0/24

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

pi64 ~ #
```

in the /usr/src/linux/.config I have 

NETFILTER_XT_NAT=m

NETFILTER_XT_TARGET_REDIRECT=m

After this I'm still unable to access the internet from the windows machine, which is connected to the br0, but it is able to ping both eth1 192.168.8.11 (WAN side) and br0 192.168.10.1 (LAN side) from the windows machine.

```
c:\>ipconfig

Windows IP Configuration

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :

   Link-local IPv6 Address . . . . . : fe80::99e2:3d5:70d1:bcae%4

   IPv4 Address. . . . . . . . . . . : 192.168.10.93

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.10.1

c:\>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Request timed out.

Request timed out.

Ping statistics for 8.8.8.8:

    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Control-C

^C

c:\>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:

Reply from 192.168.10.1: bytes=32 time=4ms TTL=64

Reply from 192.168.10.1: bytes=32 time=4ms TTL=64

Ping statistics for 192.168.10.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 4ms, Maximum = 4ms, Average = 4ms

Control-C

^C

c:\>ping 192.168.8.11

Pinging 192.168.8.11 with 32 bytes of data:

Reply from 192.168.8.11: bytes=32 time=4ms TTL=64

Reply from 192.168.8.11: bytes=32 time=5ms TTL=64

Reply from 192.168.8.11: bytes=32 time=4ms TTL=64

Ping statistics for 192.168.8.11:

    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 4ms, Maximum = 5ms, Average = 4ms

Control-C

^C

c:\>
```

----------

## Hu

Have you enabled IPv4 forwarding?  If that is not enabled, the contents of the FORWARD chain are irrelevant.

cat /proc/sys/net/ipv4/ip_forward should show 1.

----------

## bunder

I believe you're missing the masquerade rule for outgoing traffic.

----------

## orion777

 *Hu wrote:*   

> Have you enabled IPv4 forwarding?  If that is not enabled, the contents of the FORWARD chain are irrelevant.
> 
> cat /proc/sys/net/ipv4/ip_forward should show 1.

 

I have to enable it like this?

```
# nano /etc/sysctl.conf 

Add/Uncomment the following lines: 

net.ipv4.ip_forward = 1 

net.ipv4.conf.default.rp_filter = 1
```

 *bunder wrote:*   

> I believe you're missing the masquerade rule for outgoing traffic.

 

Like this ?

# iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT 

# iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT 

# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11

# iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

However, this tutorial https://www.howtoforge.com/nat_iptables requires only two steps   :Question: 

```
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

iptables --append FORWARD --in-interface br0 -j ACCEPT

#enabling IPv4 forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

service iptables restart
```

 but first two strings like in my config does not exist there   :Rolling Eyes: 

----------

## Anon-E-moose

 *orion777 wrote:*   

>  *Hu wrote:*   Have you enabled IPv4 forwarding?  If that is not enabled, the contents of the FORWARD chain are irrelevant.
> 
> cat /proc/sys/net/ipv4/ip_forward should show 1. 
> 
> I have to enable it like this?
> ...

 

That works on reboot, but on the fly you could do "echo 1 > /proc/sys/net/ipv4/ip_forward" to achieve the same thing (be root to do the echo), etc

----------

## Hu

 *bunder wrote:*   

> I believe you're missing the masquerade rule for outgoing traffic.

 From:

```
   MASQUERADE

       This target is only valid in the nat table, in the  POSTROUTING  chain.

       It  should  only  be used with dynamically assigned IP (dialup) connec‐

       tions: if you have a static IP address, you should use the SNAT target.
```

In this case, his use of SNAT looks correct, and serves as a substitute for using MASQUERADE.

----------

## orion777

```

pi64 ~ # cat /proc/sys/net/ipv4/ip_forward

0

pi64 ~ # echo 1 > /proc/sys/net/ipv4/ip_forward

pi64 ~ # cat /proc/sys/net/ipv4/ip_forward

1

pi64 ~ # iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT

pi64 ~ # iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT

pi64 ~ # iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11

```

And now I post this message from the windows xp machine, connected over raspberry with gentoo!!! Thanks a lot!!!!

Finally, I have to do iptables-save and /etc/sysctl.conf Add/Uncomment the following lines: net.ipv4.ip_forward = 1 vs net.ipv4.conf.default.rp_filter = 1, okay!

But one more question: if I will run some kind of proxy on the server (for example - rinetd) and put them to listen port, say, 2222, will it be able to listen or netfilter will route 2222 port into the wan? I'm asking here because I forgot my laptop for testings (

----------

## Hu

Netfilter does not prevent local processes from listening.  With the right configuration, it can make their listening socket irrelevant by directing traffic away from the listener.  Earlier in the thread, you discussed redirecting traffic and I recommended the REDIRECT target.  You have never shown rules that use it.  Without a REDIRECT target, the system will not intercept traffic crossing it.  Every packet attempting to traverse the system will be either forwarded or dropped, depending on your netfilter configuration, but none will be redirected to the local system.

----------

