How can I forward traffic from a specific port to another machine?
+-----------------+ +----------------------+ +------------------------+
| client | | intermediary | | server |
| (windows) | | (debian) | | (Windows) |
| 10.10.1.30-+-----+-10.10.1.1 (eno1) | | |
+-----------------+ | 10.10.2.1 (ens6f3)-+------+-10.10.2.2 (port 3389) |
+----------------------+ +------------------------+
In this test case, I am trying to RDP (TCP port 3389) from client to server. I'm trying to set up iptables rules on the intermediary, but I'm failing to do so:
$ sudo sysctl -a
...
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.eno1.forwarding = 0
net.ipv4.conf.ens6f3.forwarding = 0
...
$ sudo sysctl net.ipv4.conf.eno1.forwarding=1
$ sudo iptables -A PREROUTING -t nat -i eno1 -p tcp --dport 3389 -j DNAT --to 10.10.2.2:3389
$ sudo iptables -A FORWARD -p tcp -d 10.10.2.2 --dport 3389 -j ACCEPT
$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to 10.10.2.2:3389
I am now trying to RDP from 10.10.1.30 to 10.10.1.1. I am expecting to log into 10.10.2.2, but I get no response from that port.
What am I doing wrong?
I've also tried:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo iptables -A FORWARD -i eno1 -o ens6f3 -p tcp --syn --dport 3389 -m conntrack --ctstate NEW -j ACCEPT
$ sudo iptables -A FORWARD -i eno1 -o ens6f3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -i ens6f3 -o en01 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
