forword wan ip:port to external ip2:port2

Posted on

forword wan ip:port to external ip2:port2 – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, iptables, router, port-forwarding, busybox.

I have router based on linux (BusyBox). I can login to terminal by telnet. I want to forward wan port to ip_external:port

for example:

my wan ip (on my router):77.30.109.251

my wan port (on my router):1188

my external remote ip (on my vps):92.222.75.159

my remote port (on my vps):1180

i just try to redirect 77.30.109.251:1188 to 92.222.75.159:1180 by iptables and that is all

i have tried by this commend but still appear port as filtered when i test it on ipfingerprints.com/portscan.php ip:77.30.109.251 port:1188

iptables -t nat -A PREROUTING -i ppp111 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180
iptables -t nat -A PREROUTING -p tcp --dport 1180 -j DNAT --to 92.222.75.159:1180
iptables -t nat -A POSTROUTING -p tcp -d 92.222.75.159 --dport 1180 -j MASQUERADE

Solution :

To redirect all incoming tcp-traffic from interface ppp111 with destination IP 77.30.109.251 and destination port 1188 to IP 92.222.75.159 and port 1180 it is enough to use this iptables rule:

iptables -t nat -A PREROUTING -i ppp111 -d 77.30.109.251 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180

You also need to check if there is a rule that accepts forwarding from ppp111 to external interface and if forwarding is enabled in the kernel:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

1 means it is on. If you see = 0 you can do this sysctl -w net.ipv4.ip_forward=1.

If you want to masquerade traffic, use -o option (output interface):

iptables -t nat -A POSTROUTING -p tcp -d 92.222.75.159 --dport 1180 -o $EXTERNAL_IFACE -j MASQUERADE

It’s good practice to use -i (input interface) option also, to prevent masquerading from untrusted networks.

If you use this:

iptables -t nat -A PREROUTING -i ppp111 -p tcp --dport 1188 -j DNAT --to 92.222.75.159:1180

then you redirect all TCP traffic you have from interface ppp111 with destination port 1188 to 92.222.75.159:1180. You don’t check destination IP address, so traffic for 8.8.8.8:1188 will also be redirected via this rule.

So, be carefull and accurate when writing firewall rules!

Leave a Reply

Your email address will not be published. Required fields are marked *