I want to forward port 500 to port 2500 within the same host and the following was working on Lubuntu 16.04, but after rebooting and re-running iptables commands, I can't get it to work:

iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 –dport 500 -j DNAT –to-destination 192.168.1.10:2500
iptables -A FORWARD -p udp -d 192.168.1.10 –dport 2500 -j ACCEPT

where 192.168.1.10 is the IP of my local host.
To test in one session I run netcat:

nc -u 192.168.1.10:500

and in a 2nd session run:

nc -l -u 500

and in a 3rd session run:

nc -l -u 2500

So I want data I enter in session 1 to be received on session 3, not session 2, which I did have working, but can't get it working again.

I also tried:

iptables -t nat -A PREROUTING -p udp --dport 500 -j REDIRECT --to-port 2500

but packets are still being received on port 500, not 2500.

ufw is disabled and to make sure iptables is working I tried:

iptables -A INPUT -p udp --dport 500 -j DROP

and then packets were not received on port 500 or 2500 as expected. Port forwarding is enabled:

# cat /proc/sys/net/ipv4/ip_forward
1

Session output below:

root@mike-TravelMate-8371:~/nat/out# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.10:2500
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p udp -m udp --dport 2500 -j ACCEPT
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 2500 > nc_2500.out &
[1] 29806
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# nohup nc -l -u 500 > nc_500.out &
[2] 29810
root@mike-TravelMate-8371:~/nat/out# nohup: ignoring input and redirecting stderr to stdout
root@mike-TravelMate-8371:~/nat/out# jobs
[1]- Running nohup nc -l -u 2500 > nc_2500.out &
[2]+ Running nohup nc -l -u 500 > nc_500.out &
root@mike-TravelMate-8371:~/nat/out# nc -u 192.168.1.10 500
test forwarding UDP port 500 to 2500
^C
[2]+ Done nohup nc -l -u 500 > nc_500.out
root@mike-TravelMate-8371:~/nat/out# head nc*.out
==> nc_2500.out <==
==> nc_500.out <==
test forwarding UDP port 500 to 2500
root@mike-TravelMate-8371:~/nat/out# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:1e:33:24:98:86 brd ff:ff:ff:ff:ff:ff
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:22:fb:64:bd:42 brd ff:ff:ff:ff:ff:ff inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic wlp1s0 valid_lft 85651sec preferred_lft 85651sec inet6 fd58:7f66:569d:5300:c5df:415:6c56:50d6/64 scope global temporary dynamic valid_lft 6788sec preferred_lft 3188sec inet6 fd58:7f66:569d:5300:75d:bbe9:652e:6587/64 scope global mngtmpaddr noprefixroute dynamic valid_lft 6788sec preferred_lft 3188sec inet6 fe80::e214:14f8:d95c:73a7/64 scope link valid_lft forever preferred_lft forever
4: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0 valid_lft forever preferred_lft forever inet6 fe80::800:27ff:fe00:0/64 scope link valid_lft forever preferred_lft forever
root@mike-TravelMate-8371:~/nat/out# ip route
default via 192.168.1.1 dev wlp1s0 proto static metric 600
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.10 metric 600
192.168.56.0/24 dev vboxnet0 proto kernel scope link src 192.168.56.1 linkdown 

The reason I want to forward ports is that I want to setup VPN between an external server and a guest running in Virtual box. The Vbox guest is using "NAT" network so Vbox has its own port forwarding to forward ports to the VM which has IP 10.0.2.15 so in Vbox the port forwarding rules are:

1. TCP Host 2222 to Vbox guest 22
2. UDP Host 4500 to Vbox guest 4500
3. UDP Host 2500 to Vbox guest 500

The first means I can ssh to guest using "ssh -p 2222 root@192.168.1.10"

The second means I can send UDP packets on 4500, so I can send packets using "nc -u 192.168.1.10 4500" from host and I can see them being received on Vbox guest using "nc -l -u 4500" (the packets are NOT seen if you run "nc -l -u 4500" on the host)

The third is because Vbox will NOT forward reserved ports under 1024 so I cannot forward port 500, so with this rule I can use "nc -u 192.168.1.10 2500" on host and receive UDP packets on Vbox guest using "nc -l -u 500".

So I want to forward ports on UDP 500 on host to port 2500 so these are forwarded by Vbox to port 500 on the guest and this was working, but after rebooting and re-running iptables commands it didn't work and after several hours working on this I cannot figure out what I have done differently.

I have tried setting up iptables (and Vbox) with TCP forwadring and this doesn't work either and I have tried ufw and I have tried forwarding local ports with and without Vbox running and ports are never forwarded.

I have also tried forwarding port to a non-existent IP:

iptables -t nat -A PREROUTING -p udp -d 192.168.1.10 --dport 500 -j DNAT --to-destination 192.168.1.30:500
iptables -A FORWARD -p udp -d 192.168.1.30 --dport 500 -j ACCEPT

So here IP 192.168.1.30 does not exist but if I run "nc -u 192.168.1.10 500" in one session then I can still receive packets listening on host (IP of 192.168.1.10).

I have tried forwarding TCP port 3222 to port 22 so then I can test without netcat, but this doesn't work

root@mike-TravelMate-8371:~/nat# iptables -t nat -S;iptables -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 192.168.1.10/32 -p tcp -m tcp --dport 3222 -j DNAT --to-destination 192.168.1.10:22
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 192.168.1.10/32 -p tcp -m tcp --dport 22 -j ACCEPT
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 22
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
Connection closed by foreign host.
root@mike-TravelMate-8371:~/nat# telnet 192.168.1.10 3222
Trying 192.168.1.10...
telnet: Unable to connect to remote host: Connection refused
root@mike-TravelMate-8371:~/nat# 

So here I can reach ssh port directly using port 22, but I can't via 3222 so forwarding is not working.

3

1 Answer

Iptables rules are not persistent across reboot. you might have to add the rules back after reboot or use iptables-save / iptables-persistent. Refer to this link.How can I make a specific set of iptables rules permanent?

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy