Forums

Resolved
0 votes
Hello all,
For my client, I need to make an ip and port redirectin for the new IP phones. I'm doing something wrong but... doesnt know what exactly :
Here's my rule :

The idea is to redirect what is coming from MyExternalIP on port 12741 to my internal phone having the IP 192.168.1.81 on port 80

$IPTABLES -t nat -A PREROUTING -s MyExternalIP/28 -p tcp --dport 12741 -j DNAT --to-destination 192.168.1.81:80 


If someone has an idea, it's very welcomed :)
Monday, October 08 2018, 12:23 PM
Share this post:
Responses (15)
  • Accepted Answer

    Tuesday, October 16 2018, 05:14 PM - #Permalink
    Resolved
    0 votes
    so stupid I was...
    An Nick asked me on which version I was ..
    Of course my rules were not working.... I requested some help from the support and they told my my system was ClearOS 6 ; I was so sure being uner version / !?! : $iptables is not working under that version !! :D :D and sorry for that Nick
    Now it works fine ;)
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 04:26 PM - #Permalink
    Resolved
    0 votes
    Yes, to remove rules change -I or -A to -D or you have to do it by line numbers.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 03:18 PM - #Permalink
    Resolved
    0 votes
    can I remove the line with the ip source 1.2.3.0/28 ... with the following command ?

    iptables -t nat -D PREROUTING -p tcp -i eth0 -s 1.2.3.0/28 --dport 12718 -j DNAT --to-destination 172.17.2.118:1818
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 03:10 PM - #Permalink
    Resolved
    0 votes
    yes I tried.
    As I've 3 forwarding rules to create, I made the second one in the command line and it worked ... here's the entry
    iptables -t nat -A PREROUTING -p tcp -i eth0 -s 84.253.14.32/28 --dport 12741 -j DNAT --to-destination 192.168.1.81:80


    root@srv-cos ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 52 packets, 10115 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- * * 0.0.0.0/0 146.4.6.162 tcp dpt:3391 to:192.168.1.11:3389
    0 0 DNAT tcp -- eth0 * 1.2.3.0/28 0.0.0.0/0 tcp dpt:12718 to:172.17.2.118:1818
    0 0 DNAT tcp -- eth0 * 84.253.14.32/28 0.0.0.0/0 tcp dpt:12741 to:192.168.1.81:80



    but when I paste the same line into the web custom rule, I get the error :
    Command is not permitted.
    $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -s 84.253.14.32/28 --dport 12741 -j DNAT --to-destination 192.168.1.81:80
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 02:57 PM - #Permalink
    Resolved
    0 votes
    Something weird going on here. I copied your rule directly and it worked even though the interface does not exist on my system nor the LAN IP:
    [root@server ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 58 packets, 7423 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- eth0 * 84.253.14.0/24 0.0.0.0/0 tcp dpt:12718 to:192.168.1.81:1818
    65 8232 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
    55 7045 MINIUPNPD all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0

    Did you enable the Custom rule?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 02:46 PM - #Permalink
    Resolved
    0 votes
    ok, I entered my rule using the command line replacing the $IPTABLES by iptables .. then I made a iptables -nvL -t nat and here's the result ..
    it seems there's something about my rule but I dont understand : the ip source is 1.2.3.0/28 and the destination is 172.17.2.118 ?

    really strange..


    [root@srv-cos ~]# iptables -nvL -t nat

    Chain PREROUTING (policy ACCEPT 121 packets, 20211 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- * * 0.0.0.0/0 146.4.6.162 tcp dpt:3391 to:192.168.1.11:3389
    0 0 DNAT tcp -- eth0 * 1.2.3.0/28 0.0.0.0/0 tcp dpt:12718 to:172.17.2.118:1818

    Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
    pkts bytes target prot opt in out source destination
    47 2611 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.11 tcp dpt:3389 to:192.168.1.1
    894 58903 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 28 packets, 2032 bytes)
    pkts bytes target prot opt in out source destination
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 02:29 PM - #Permalink
    Resolved
    0 votes
    yes I'm using Clearos 7 : Here's my exact rule :

    $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -s 84.253.14.32/24 --dport 12718 -j DNAT --to-destination 192.168.1.81:1818


    thanks :)

    But I have the port forwarding and 1-to-1 nat modules activated. I dont know if this can be a problem ,,,
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 02:27 PM - #Permalink
    Resolved
    0 votes
    I did the fierst as a test a few minutes ago and it worked directly:
    $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -s 1.2.3.4/24 --dport 12718 -j DNAT --to-destination 172.17.2.118:1818
    Are you using ClearOS7? The firewall won't know the concept of reserving a port. Can you copy and paste your exact rule?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 02:06 PM - #Permalink
    Resolved
    0 votes
    ok, thanks Nick,
    But when I put my first rule in my custom firewall I get an error : Command is not permitted. I really dont know what could be wrong. Maybe the port number are reserverd ?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 02:04 PM - #Permalink
    Resolved
    0 votes
    Stupid question. Where are you seeing "command not permitted"? At the command line? If so use "iptables" and not "$IPTABLES". When you do a custom firewall rule change "iptables" to "$IPTABLES" (or at least "iptables -w")
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 01:58 PM - #Permalink
    Resolved
    0 votes
    The first rule looks OK. The second rule is a little OTT and has the wrong destination:
    $IPTABLES -A FORWARD -p tcp -s <externalproviderIP>/24 -d <internal_destination_IP> --dport 1818 -j ACCEPT
    The "state" stuff is probably OK but a waste of time as you've selected just about all states except the rarer INVALID.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 01:48 PM - #Permalink
    Resolved
    0 votes
    ... so I found an example on the ClearOS documentation. I just changed the IP adress and the port but I still get the following error : Command is not permitted

    $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -s <externalproviderIP>/24 --dport 12718 -j DNAT --to-destination myinternalip:1818
    $IPTABLES -A FORWARD -p tcp -s <externalproviderIP>/24 -d <externalproviderIP> --dport 1818 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 01:33 PM - #Permalink
    Resolved
    0 votes
    Hello Nick,
    According to the phone company, I need to open the port TCP 12741 on my clearos for their specific IP and redirect it to my internal 192.168.1.81 on port 80

    I tried that, too but it's refused :

    $iptables -t nat -A PREROUTING -i eth0 -s <PhoneProviderIP> -p tcp --dport 12741 -j DNAT --to 192.1681.1.81:80


    should I first allow incoming acces on port 12741 for my provider IP and then, with a following rule redirect it to my internal ip (192.168.1.81:81) ?

    thanks :)
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 01:21 PM - #Permalink
    Resolved
    0 votes
    No. A port forward consists of 2 or 3 rules, a FORWARD, PREROUTING and POSTROUTING rule. You will also need a FORWARD rule but your rules are inconsistent. Are you natting to port 80 or 1818 **using the natted port number**. I think you DNAT to IP:port (I don't see a --to-ports in the man pages) and you may want to specify the source IP and final destination IP in the FORWARD rule.

    Don't worry about the POSTROUTING rule. It probabaly does not matter.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2018, 01:05 PM - #Permalink
    Resolved
    0 votes
    ok, it seems that this rule is accepted but has no effect :(

    iptables -A PREROUTING -t nat -s MyExternalIP/28 -d <MyClearOSPublicIP>  -p tcp --dport 12718 -j DNAT --to-destination 192.168.1.81 --to-ports 1818


    maybe restarting ?
    The reply is currently minimized Show
Your Reply