Home / server / Questions / 838141
In Process
SvennD
Asked: 2017-03-15 01:44:14 +0800 CST

iptables forward port and transition

  • 772

I tried to setup iptables to forward a port (161) of a machine (box1) in subnet 10.10.255.* to port 162 to box2, this should be queried by box3 that is in a different subnet (public one). This is a schematic : 

  box1                  box2             box3
[10.1.255.245] ---- (eth0)-(eth1) ---- [public_ip]
    |                     |--------- 161 -----|
    |-----------161---(iptables)---- 162 -----|

So basically I want to query snmp on box3 through port 162. On box2 I added these rules: 

iptables -t nat -A PREROUTING -p udp -i eth1 --dport 162 -j DNAT --to-destination 10.1.255.245:161
iptables -A FORWARD -p udp -d 10.1.255.245 --dport 161 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Sadly box3 can't query snmp ... these are the iptables from box2 : 

# Generated by iptables-save v1.4.7 on Tue Mar 14 10:41:21 2017
*filter
:INPUT ACCEPT [60:9648]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [421336:836276554]
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 372 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --sport 1024:65535 --dport 372 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 8649 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 40000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 0:1023 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -d 10.1.255.245/32 -p udp -m udp --dport 161 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Mar 14 10:41:21 2017
# Generated by iptables-save v1.4.7 on Tue Mar 14 10:41:21 2017
*nat
:PREROUTING ACCEPT [397:45293]
:POSTROUTING ACCEPT [8465:1184160]
:OUTPUT ACCEPT [8465:1184160]
-A PREROUTING -i eth1 -p udp -m udp --dport 162 -j DNAT --to-destination 10.1.255.245:161
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 14 10:41:21 2017

Route on box 1 :

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 *               255.255.255.255 UH    0      0        0 eth0
box2            box2.local      255.255.255.255 UGH   0      0        0 eth0
224.0.0.0       *               255.255.255.0   U     0      0        0 eth0
10.1.0.0        *               255.255.0.0     U     0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
192.168.0.0     *               255.255.0.0     U     0      0        0 eth1
default         storage1        0.0.0.0         UG    0      0        0 eth1

tcpdump of port 161 on box 2 : 

2017-03-14 11:25:00.677570 IP box3.57060 > box2.162:  C=servers GetNextRequest(28)  .1.3.6.1.2.1.1.1.0

tcpdump of port 162 on box 2 :

2017-03-14 11:23:03.325818 IP box3.42352 > box1.161:  C=servers GetNextRequest(28)  .1.3.6.1.2.1.1.1.0
  • I tried snmpwalk from box2 to box1 over 161 and that works
  • /proc/sys/net/ipv4/ip_forward = 1 on box 2

What am I missing ?

iptables

1 Answers

  1. You need to activate ip-forwarding on box2, and box2 need to be the gateway of box1 to public network.

    If the problem persists, please share a tcpdump on box2, which you can aquire by running:

    tcpdump -i any -s1500 'udp port 161,162' -w file_name.pcap
    • 2