Why is this iptables rule that does port forwarding not working?












5















I have a server bound to localhost:7060. It is using ipv6 socket instead of ipv4. Below is netstat outout.



# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#


I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060.



This is how I am setting up the iptables rule:




iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**




It is not working. When I telnet from different box, I see the following




$telnet 10.200.32.98 24

Trying 10.200.32.98...




If I change the server to bind to *:7060 and set the following rule, it seems to work fine.




iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060




But that will make my server available on WAN interface which I don't like.



I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.



How do I get this working?










share|improve this question




















  • 1





    If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that ip6tables does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.

    – Garrett
    Nov 30 '11 at 17:05
















5















I have a server bound to localhost:7060. It is using ipv6 socket instead of ipv4. Below is netstat outout.



# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#


I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060.



This is how I am setting up the iptables rule:




iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**




It is not working. When I telnet from different box, I see the following




$telnet 10.200.32.98 24

Trying 10.200.32.98...




If I change the server to bind to *:7060 and set the following rule, it seems to work fine.




iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060




But that will make my server available on WAN interface which I don't like.



I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.



How do I get this working?










share|improve this question




















  • 1





    If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that ip6tables does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.

    – Garrett
    Nov 30 '11 at 17:05














5












5








5


2






I have a server bound to localhost:7060. It is using ipv6 socket instead of ipv4. Below is netstat outout.



# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#


I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060.



This is how I am setting up the iptables rule:




iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**




It is not working. When I telnet from different box, I see the following




$telnet 10.200.32.98 24

Trying 10.200.32.98...




If I change the server to bind to *:7060 and set the following rule, it seems to work fine.




iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060




But that will make my server available on WAN interface which I don't like.



I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.



How do I get this working?










share|improve this question
















I have a server bound to localhost:7060. It is using ipv6 socket instead of ipv4. Below is netstat outout.



# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#


I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060.



This is how I am setting up the iptables rule:




iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**




It is not working. When I telnet from different box, I see the following




$telnet 10.200.32.98 24

Trying 10.200.32.98...




If I change the server to bind to *:7060 and set the following rule, it seems to work fine.




iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060




But that will make my server available on WAN interface which I don't like.



I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.



How do I get this working?







port-forwarding android nat iptables platform






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 30 '11 at 17:18









jonsca

2,982112539




2,982112539










asked Nov 30 '11 at 16:22









videoguyvideoguy

12614




12614








  • 1





    If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that ip6tables does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.

    – Garrett
    Nov 30 '11 at 17:05














  • 1





    If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that ip6tables does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.

    – Garrett
    Nov 30 '11 at 17:05








1




1





If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that ip6tables does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.

– Garrett
Nov 30 '11 at 17:05





If your socket is IPv6, you need to do IPv6 filtering. Further, I am of the understanding that ip6tables does not yet support NAT for things like masquerading or port forwarding (your case). Try making the socket an IPv4 one instead and see if your rule works.

– Garrett
Nov 30 '11 at 17:05










2 Answers
2






active

oldest

votes


















1














When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.



iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24


Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.






share|improve this answer































    -1














    I think you must use --sport 24 instead of --dport 24, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables...






    share|improve this answer





















    • 1





      wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.

      – hultqvist
      Apr 12 '13 at 8:37











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f363056%2fwhy-is-this-iptables-rule-that-does-port-forwarding-not-working%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.



    iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24


    Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
    REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.






    share|improve this answer




























      1














      When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.



      iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24


      Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
      REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.






      share|improve this answer


























        1












        1








        1







        When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.



        iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24


        Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
        REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.






        share|improve this answer













        When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.



        iptables -t nat -A POSTROUTING -p tcp --sport 7060 -j MASQUERADE --to-ports 24


        Even though the packets is generated by localhost, it will also go into the POSTROUTER chain.
        REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 15 '17 at 6:45









        FrioFrio

        111




        111

























            -1














            I think you must use --sport 24 instead of --dport 24, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables...






            share|improve this answer





















            • 1





              wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.

              – hultqvist
              Apr 12 '13 at 8:37
















            -1














            I think you must use --sport 24 instead of --dport 24, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables...






            share|improve this answer





















            • 1





              wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.

              – hultqvist
              Apr 12 '13 at 8:37














            -1












            -1








            -1







            I think you must use --sport 24 instead of --dport 24, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables...






            share|improve this answer















            I think you must use --sport 24 instead of --dport 24, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables...







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 20 '17 at 10:17









            Community

            1




            1










            answered Feb 10 '12 at 8:35









            xOnecaxOneca

            596




            596








            • 1





              wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.

              – hultqvist
              Apr 12 '13 at 8:37














            • 1





              wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.

              – hultqvist
              Apr 12 '13 at 8:37








            1




            1





            wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.

            – hultqvist
            Apr 12 '13 at 8:37





            wrong, the incoming connection has the destination port 24 thus --dport should be used. Usually the source port(from the connecting client) is assigned randomly for every.

            – hultqvist
            Apr 12 '13 at 8:37


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f363056%2fwhy-is-this-iptables-rule-that-does-port-forwarding-not-working%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀