Difference between revisions of "Forward (redirect/nat) traffic with iptables"
Line 18: | Line 18: | ||
</pre> | </pre> | ||
Example for single port: | Example for single port: | ||
− | iptables -A FORWARD -d 2.2.2.2 -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT #forward tcp port range | + | #iptables -A FORWARD -d 2.2.2.2 -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT #forward tcp port range |
Save and restart | Save and restart |
Revision as of 21:52, 12 June 2013
If you want to redirect all traffic to IP 1.1.1.1 to IP 2.2.2.2, it simply can be done with iptables.
You can also redirect traffic to specific port by specifying a port instead of range.
First of all enable IP forwarding in /etc/sysctl.conf on 1.1.1.1 host:
net.ipv4.ip_forward=1
Execute following for the changes to take effect:
sysctl -p
add iptables rules
iptables -A FORWARD -d 2.2.2.2 -i eth0 -p tcp -m tcp --dport 1000:65500 -j ACCEPT #forward tcp port range iptables -A FORWARD -d 2.2.2.2 -i eth0 -p udp -m udp --dport 1000:65500 -j ACCEPT #forward udp port range iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp -m tcp --dport 1000:65500 -j DNAT --to-destination 2.2.2.2 #tcp port range iptables -t nat -A PREROUTING -d 1.1.1.1 -p udp -m udp --dport 1000:65500 -j DNAT --to-destination 2.2.2.2 #udp port range iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Example for single port:
#iptables -A FORWARD -d 2.2.2.2 -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT #forward tcp port range
Save and restart
iptables-save >/etc/sysconfig/iptables service iptables restart
Here is an example of working iptables:
# Generated by iptables-save v1.4.7 on Tue Apr 9 14:27:04 2013 *filter :FORWARD ACCEPT [0:0] -A FORWARD -d 2.2.2.2 -i eth0 -p tcp -m tcp --dport 23:65500 -j ACCEPT -A FORWARD -d 2.2.2.2 -i eth0 -p udp -m udp --dport 23:65500 -j ACCEPT COMMIT # Completed on Tue Apr 9 14:27:04 2013 # Generated by iptables-save v1.4.7 on Tue Apr 9 14:27:04 2013 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d 1.1.1.1 -p tcp -m tcp --dport 23:65500 -j DNAT --to-destination 2.2.2.2 -A PREROUTING -d 1.1.1.1 -p udp -m udp --dport 23:65500 -j DNAT --to-destination 2.2.2.2 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue Apr 9 14:27:04 2013
Warning: Make sure your ssh port is out of range 23:65500, otherwise you will lose ssh access to 1.1.1.1. ""