I am trying to set up port forwarding with iptables.
I've read several stuff (including here on serverfault) but every example I try fails.
I have a Debian GNU/Linux box with a globally routed IP address, say 1.2.3.4. I also have an internal network 192.168.15.0/24, which has one host (192.168.15.2) in it.
I simply want port 2200 on 1.2.3.4 forwarded to 192.168.15.2:22, so this is what I've done:
iptables -A PREROUTING -t nat -p tcp --dport 2200 -j DNAT --to 192.168.15.2:22
iptables -A INPUT -p tcp -m state --state NEW --dport 2200 -j ACCEPT
However, this does not work. If i try to ssh to 1.2.3.4:2200, I get "Connection refused".
Trying for over 3hrs now and I'm feeling like I've tried everything and there must be something wrong.
IP forwarding is on:
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1
A couple things.
First since the destination nat is performed on the PREROUTING you need to make sure you build any of your rules on the filter table using the address after the address translation has been performed. PREROUTING is processes before the FILTER table. So you rule that permits
2200isn't doing anything useful since since it doesn't have a destination port of 2200 by when it hits the filter table, and instead it has been translated to port 22 by your NAT rule.The other part I am less certain about since you haven't given a good description of your network. Unless I am miss-understanding your network setup, then I believe 192.168.15.2 is not an address on the firewall. I bring this up since you are trying to add a rule to the INPUT chain. The INPUT chain is used for packets being sent to the firewall system itself, and doesn't get visited when the packets are being routed between interfaces from one network to another. I suspect that you should be adding a rule to the FORWARD chain instead.