Re: Rewriting target IP and port on Linux with iptables or firewall-cmd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 4, 2016 at 4:32 PM, Sven-Haegar Koch <haegar@xxxxxxxxx> wrote:
> On Fri, 4 Mar 2016, Alex Barylo wrote:
>
>> I have a server in a DC1 with a private IP, of say 10.10.10.10. This
>> IP is NAT'd to a public IP, say 216.58.219.10 in this way:
>>
>> 216.58.219.10:8090 -> 10.10.10.10:8089
>>
>> I have a server in DC2 which knows about (and wants to connect to)
>> 10.10.10.10:8089 but doesn't know about 216.58.219.10:8090 (long
>> story).
>>
>> So I want to rewrite dest IP/port from 10.10.10.10:8089 to 216.58.219.10:8090.
>>
>> This is what I tried:
>>
>> # sysctl net.ipv4.ip_forward=1
>> # iptables -t nat -A PREROUTING -p tcp --dest 10.10.10.10 --dport 8089
>> -j DNAT --to 216.58.219.10:8090
>
>> Any pointers are greatly appreciated.
>
> Try adding the same rule also to the nat OUTPUT chain.
>
> iptables -t nat -A OUTPUT -p tcp --dest 10.10.10.10 --dport 8089 -j
> DNAT --to 216.58.219.10:8090
>

Excellent (winning!) idea, Sven-Haegar - thank you! I did try adding
to OUTPUT instead of PREROUTING before I posted here and it didn't
work. But when I added to both - voila!

Here is the script, in case you need to add more than one port and you
hate repeating (almost) the same line.

#!/bin/bash

PATH=/bin:/usr/bin:/user/local/bin:/sbin:/usr/sbin:/usr/local/sbin

REMOTE_PUB_IP=<your_public_ip_here>
REMOTE_PUB_PORT=(8089 8090 8091)

REMOTE_PRV_IP=(your_private_ips_here, separated by space)
REMOTE_PRV_PORT=(8089 8089 8089)


run_cmd () {
    if [[ -z "$DEBUG" ]]; then
        $*
    else
        echo $*
    fi
}


# Enable IP forwarding
sysctl net.ipv4.ip_forward=1

# Flush all NAT rules
iptables -t nat -F

(( max_index = ${#REMOTE_PUB_PORT[*]} - 1 ))
for i in $( seq 0 $max_index ); do
    run_cmd "iptables -t nat -A PREROUTING -p tcp --dest
${REMOTE_PRV_IP[i]} --dport ${REMOTE_PRV_PORT[i]} -j DNAT --to
${REMOTE_PUB_IP}:${REMOTE_PUB_PORT[i]}"
    run_cmd "iptables -t nat -A OUTPUT     -p tcp --dest
${REMOTE_PRV_IP[i]} --dport ${REMOTE_PRV_PORT[i]} -j DNAT --to
${REMOTE_PUB_IP}:${REMOTE_PUB_PORT[i]}"
done
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux