Why is this iptables rule that does port forwarding not working?
I have a server bound to localhost:7060
. It is using ipv6 socket instead of ipv4. Below is netstat outout.
# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#
I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060
.
This is how I am setting up the iptables rule:
iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**
It is not working. When I telnet from different box, I see the following
$telnet 10.200.32.98 24
Trying 10.200.32.98...
If I change the server to bind to *:7060
and set the following rule, it seems to work fine.
iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060
But that will make my server available on WAN interface which I don't like.
I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.
How do I get this working?
port-forwarding android nat iptables platform
add a comment |
I have a server bound to localhost:7060
. It is using ipv6 socket instead of ipv4. Below is netstat outout.
# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#
I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060
.
This is how I am setting up the iptables rule:
iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**
It is not working. When I telnet from different box, I see the following
$telnet 10.200.32.98 24
Trying 10.200.32.98...
If I change the server to bind to *:7060
and set the following rule, it seems to work fine.
iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060
But that will make my server available on WAN interface which I don't like.
I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.
How do I get this working?
port-forwarding android nat iptables platform
1
If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding thatip6tables
does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.
– Garrett
Nov 30 '11 at 17:05
add a comment |
I have a server bound to localhost:7060
. It is using ipv6 socket instead of ipv4. Below is netstat outout.
# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#
I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060
.
This is how I am setting up the iptables rule:
iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**
It is not working. When I telnet from different box, I see the following
$telnet 10.200.32.98 24
Trying 10.200.32.98...
If I change the server to bind to *:7060
and set the following rule, it seems to work fine.
iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060
But that will make my server available on WAN interface which I don't like.
I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.
How do I get this working?
port-forwarding android nat iptables platform
I have a server bound to localhost:7060
. It is using ipv6 socket instead of ipv4. Below is netstat outout.
# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#
I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060
.
This is how I am setting up the iptables rule:
iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**
It is not working. When I telnet from different box, I see the following
$telnet 10.200.32.98 24
Trying 10.200.32.98...
If I change the server to bind to *:7060
and set the following rule, it seems to work fine.
iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060
But that will make my server available on WAN interface which I don't like.
I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.
How do I get this working?
port-forwarding android nat iptables platform
port-forwarding android nat iptables platform
edited Nov 30 '11 at 17:18
jonsca
2,982112539
2,982112539
asked Nov 30 '11 at 16:22
videoguyvideoguy
12614
12614
1
If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding thatip6tables
does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.
– Garrett
Nov 30 '11 at 17:05
add a comment |
1
If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding thatip6tables
does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.
– Garrett
Nov 30 '11 at 17:05
1
1
If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that
ip6tables
does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.– Garrett
Nov 30 '11 at 17:05
If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that
ip6tables
does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.– Garrett
Nov 30 '11 at 17:05
add a comment |
2 Answers
2
active
oldest
votes
When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.
iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24
Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.
add a comment |
I think you must use --sport 24
instead of --dport 24
, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables
...
1
wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.
– hultqvist
Apr 12 '13 at 8:37
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f363056%2fwhy-is-this-iptables-rule-that-does-port-forwarding-not-working%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.
iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24
Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.
add a comment |
When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.
iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24
Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.
add a comment |
When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.
iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24
Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.
When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.
iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24
Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.
answered Dec 15 '17 at 6:45
FrioFrio
111
111
add a comment |
add a comment |
I think you must use --sport 24
instead of --dport 24
, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables
...
1
wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.
– hultqvist
Apr 12 '13 at 8:37
add a comment |
I think you must use --sport 24
instead of --dport 24
, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables
...
1
wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.
– hultqvist
Apr 12 '13 at 8:37
add a comment |
I think you must use --sport 24
instead of --dport 24
, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables
...
I think you must use --sport 24
instead of --dport 24
, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables
...
edited Mar 20 '17 at 10:17
Community♦
1
1
answered Feb 10 '12 at 8:35
xOnecaxOneca
596
596
1
wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.
– hultqvist
Apr 12 '13 at 8:37
add a comment |
1
wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.
– hultqvist
Apr 12 '13 at 8:37
1
1
wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.
– hultqvist
Apr 12 '13 at 8:37
wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.
– hultqvist
Apr 12 '13 at 8:37
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f363056%2fwhy-is-this-iptables-rule-that-does-port-forwarding-not-working%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that
ip6tables
does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.– Garrett
Nov 30 '11 at 17:05