android - Why is this iptables rule that does port forwarding not working?

01
2013-08
  • videoguy

    I have a server bound to localhost:7060. It is using ipv6 socket instead of ipv4. Below is netstat outout.

    # netstat -an
Proto Recv-Q Send-Q Local Address          Foreign Address        State
 tcp       0      0 10.200.32.98:1720      0.0.0.0:*              LISTEN
 tcp       0      0 0.0.0.0:4122           0.0.0.0:*              LISTEN
 tcp       0      0 0.0.0.0:4123           0.0.0.0:*              LISTEN
 tcp       0      0 127.0.0.1:4123         127.0.0.1:43051        ESTABLISHED
 tcp       0      0 10.200.32.98:5555      10.200.32.44:53162     ESTABLISHED
tcp6       0      0 :::5060                :::*                   LISTEN
tcp6       0      0 ::ffff:127.0.0.1:7060  :::*                   LISTEN
tcp6       0      0 :::23                  :::*                   LISTEN
tcp6       0      0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6       0      0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123  ESTABLISHED
tcp6       0      0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6       0      0 :::5060                :::*                   CLOSE
#

    I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060.

    This is how I am setting up the iptables rule:

    iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to 127.0.0.1:7060**

    It is not working. When I telnet from different box, I see the following

    $telnet 10.200.32.98 24
    Trying 10.200.32.98...

    If I change the server to bind to *:7060 and set the following rule, it seems to work fine.

    iptables -t nat -A PREROUTING -p tcp --dport 24 -j REDIRECT --to-port 7060

    But that will make my server available on WAN interface which I don't like.

    I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.

    How do I get this working?

    • Answers
  • xOneca

    I think you must use --sport 24 instead of --dport 24, because de traffic is incoming, not outgoing. Although, as Garret said, probably you must use ip6tables...



    • view all most popular Amazon Coupons
    .
    Related Question

    Ubuntu 11.04 server iptables port forwarding
  • Stef

    I'm pretty new to iptables. My server has two Ethernet cards (eth0, eth1) and an ADSL router that is in bridge mode connected to the eth0 which created ppp0 when dialed.

    I'm trying to forward external port 80 to my local machine (192.168.2.2) connected in eth1.

    My Internet sharing is done by:

    iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o ppp0 -j MASQUERADE

    (if there is a better way feel free to show me)

    I am trying to use:

    iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.2.2:80

    but I don't know to which Ethernet interface I should be pointing it. Any ideas?


    • Related Answers
  • grawity

    If you are accessing the Internet through ppp0, that's what you should use for -i in both commands. (Check the default route in ip -4 route to be sure.)

  • kobaltz

    Check out http://www.hackorama.com/network/portfwd.shtml. It has very good and detailed explanation for what you're trying to do.