I have a few port forward rules like this
iptables -t nat -A PREROUTING -p tcp --dport 46000 -j DNAT --to-destination 172.16.8.2:46000
iptables -A FORWARD -p tcp -d 172.16.8.2 --dport 46000 -j ACCEPT
I wonder if there is a way to add new forward rules in one line instead of two so I don't have to enter the same data twice. I mean rules like this:
- In nat PREROUTING forward packet to destination and mark it
- In filter FORWARD allow all packets that were marked using rule 1
Is it possible?
It is not possible to get this done with only one command per DNAT – unless... see below. But it is possible to enter the data just once.
Let's define the mark range 1024–2047 for connections which get DNATted and forwarded.
One line with each DNAT match condition in mangle:
One command for each in nat:
One command for all in filter:
BTW: There is no need to give the destination port for
-j DNATif it is not changed.Edit 1:
You can do that if you do without allowing the connections explicitly, if you are fine with allowing everything that has been DNATted. In that case you would stick to your
but have only one FORWARD rule for all: