Changing iptables commands to forward selectively

Majid Fouladpour

11/14/23, 10:46 AM

Following a tutorial I have set up a v2ray VPN for some friends. In the setup we need two servers: EU and IR. The EU server is in Europe and v2ray is installed on it. The IR server is inside the country and just forwards all traffic to the EU server. It is needed because the censorship is so harsh that at times you can only connect to domestic servers.

All has been working fine so far, but we need to add more EU servers and the IR server should forward traffic selectively to EU1 or EU2. We plan to dedicate each EU server a range of ports. So, if a request comes from a v2ray client and the port is between 10000 and 19999 then we want it to be forwarded to EU1 server and if the port is between 20000 and 29999 then it is forwarded to EU2.

The current iptables commands that we have are these:

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination IR_SERVER_IP
iptables -t nat -A PREROUTING -j DNAT --to-destination EU_SERVER_IP
iptables -t nat -A POSTROUTING -j MASQUERADE

I tried to make sense of the commands and understand that -t nat selects the nat table and -p tcp says if the protocol is tcp. But then --dport 22 confuses me. Each v2ray connection has a unique port which never is 22.

What changes do we need to make to the commands to have our needs met?

438

1 + 0

vpn

iptables

port-forwarding

Score:0

Server

Martin

11/14/23, 1:05 PM

The answer is simple: no matter which traffic you forward, you still must be able to manage your "IR" server. This is being done via ssh, which is listening on port 22 by default. The DNAT rule is probably present to avoid traffic for port 22 being matched on the next rule, which changes the destination IP unconditionally to your EU server, no matter which protocol / port is used.

a rule iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT would do the same thing (and makes its intention more clear). If you know, that the destination port for v2ray traffic is between 10000 and 29999, this rule can be removed, together with adding those constraints to your DNAT rule.

I am not familiar with the v2ray VPN, and do not know if the protocol to talk to v2ray is tcp or udp - I inserted both to be sure. Based on your description, those rules should do the job:

sysctl net.ipv4.ip_forward=1
# clear all previous rules:
iptables -t nat -F

# add new rules:
iptables -t nat -A PREROUTING -d IR_SERVER_IP -p tcp --dport 10000:19999 -j DNAT --to-destination EU_SERVER_IP1
iptables -t nat -A PREROUTING -d IR_SERVER_IP -p udp --dport 10000:19999 -j DNAT --to-destination EU_SERVER_IP1
iptables -t nat -A PREROUTING -d IR_SERVER_IP -p tcp --dport 20000:29999 -j DNAT --to-destination EU_SERVER_IP2
iptables -t nat -A PREROUTING -d IR_SERVER_IP -p udp --dport 20000:29999 -j DNAT --to-destination EU_SERVER_IP2
iptables -t nat -A POSTROUTING -j MASQUERADE

Again, I do not know v2ray - therefore I am not able to tell if more port-forwarding is required for this setup to work.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Changing iptables commands to forward selectively

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.