Join Log in
Score:1
xRef avatar Ubuntu

iptables - Port forwarding with keeping source IP

in flag
xRef

I have a Ubuntu Server with two interfaces: enp1s0 and ham0 (private network). In interface ham0 my IP-address is 25.70.228.164. Another machine in this network has IP-address 25.11.1.253. I tried to set these iptables rules:

iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A PREROUTING -p tcp --dport 9000:9005 -j DNAT --to-destination 25.11.1.253
iptables -t nat -A POSTROUTING -p tcp -d 25.11.1.253 --dport 9000:9005 -j SNAT --to-source 25.70.228.164

It works fine, but the second machine (25.11.1.253) doesn't see real IP-addresses of incoming packages. It sees IP-addresses of the first machine (25.70.228.164).

I heard that it's possible to save source IP via setting a default gateway, but I don't understand what I should to do.

Is it even possible with iptables and what should I to do?

1426
1 + 2
David avatar
cn flag
David
It can depend on what version of Ubuntu you are using. What version of Ubuntu is it?
0
Reply
xRef avatar
in flag
xRef
@David Ubuntu 18.04.6 LTS
0
Reply
Score:0
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

It is possible to save the source IP with iptables, and such behaviour is actually the more normal method for port forwarding.

Delete this line:

iptables -t nat -A POSTROUTING -p tcp -d 25.11.1.253 --dport 9000:9005 -j SNAT --to-source 25.70.228.164

Change this line:

iptables -t nat -A PREROUTING -p tcp --dport 9000:9005 -j DNAT --to-destination 25.11.1.253

To this:

iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 9000:9005 -j DNAT --to-destination 25.11.1.253

If the IP address of enp1s0 is known and static ($EXTIP), add this line:

iptables -t nat -A POSTROUTING -o enp1s0 -j SNAT --to $EXTIP

If the IP address of enp1s0 is not known, maybe dynamic, add this line:

iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE

This answer assumes the default policy for the FORWARD chain is ACCEPT. A default policy of DROP might be more secure, which would require these additional rules (untested):

iptables -P FORWARD DROP
iptables -A FORWARD -i ham0 -o enp1s0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp1s0 -o ham0 -p tcp --dport 9000:9005 -d 25.11.1.253 -j ACCEPT

You also need to enable forwarding (which I think you did, but for completeness):

echo "1" > /proc/sys/net/ipv4/ip_forward
+ 2
xRef avatar
in flag
xRef
doesn't work for me at all. The second machine doesn't receive any packages. I also tried to change `iptables -P FORWARD DROP` to `iptables -P FORWARD ACCEPT`
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
What is the netmask for your ham0 sub-net? I ask because the two addresses involved are so different. I assumed the packets that get forwarded arrive on the enp1s0 nic, is that true?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.