I have a host that acts as a gateway for other hosts. The configuration is such that eth0(192.168.1.3) is connected to internet via a router and eth1(172.16.2.50) is connected to internal network via switch. Given that, this host is also running a service that is bound to eth1 and serves the internal network. I want to extend this service to the outside world as well and was trying to manipulate iptables so that any request that comes to this host via eth0 and is directed to 192.168.1.3:80 is send to 172.16.2.50 and internet users can also make use of the service.
Here are my iptable rules for setting up the host as gateway (and these work fine):
sudo iptables -t nat -A POSTROUTING -s 172.16.2.0/16 -o eth0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE sudo iptables -A FORWARD -s 172.16.2.0/16 -o eth0 -j ACCEPT sudo iptables -A FORWARD -d 172.16.2.0/16 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
And these are the rules that I am trying to add to the iptables to achieve my ends:
sudo iptables -A INPUT -d 192.168.1.3 -p tcp -dport 80 -i eth0 -j ACCEPT sudo iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp -dport 80 -j DNAT --to-destination 172.16.2.50:80 sudo iptables -t nat -A PREROUTING -s 172.16.2.50 -p tcp -sport 80 -j SNAT --to-source 192.168.1.3:80 sudo iptables -A FORWARD -d 192.168.1.3 -p tcp -dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
When I do so, I get error like : “multiple -d flags not allowed” …
Can someone tell me how to resolve this error… and do the entries that I want to add will serve my purpose ?
As @Vladimir said, you need to write the
--dport using double dashes. Using single dash for
-dport confuse iptables about using another
For rules correctness, it is enough to add this rule to achieve your goal:
iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 80 -j DNAT --to-destination 172.16.2.50
This should work assuming you are receiving traffic from Internet (from your router) on the IP 192.168.1.3 (public to private NAT is done in the router).
Also, you can write the RELATED/ESTABLISHED rule only once and in this form:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Just allow all related/established connections. This should not be a security hole as your are allowing only relevant traffic using other
Leave a comment
- What is the easiest way to upgrade my existing Perl 5.14 to Perl 5.16 on FreeBSD 9 using the ports system?
- Know if mysql has done its job
- Redirect https .com to https .co.uk without a valid SSL cert on .com without DNS change
- Why is it a bad idea to use customer email as from address
- 100% packets dropped on first RX queue on 3/5 raid6 iSCSI NAS devices using intel igb (resolved)