iptables Tips and Tricks - Port Redirection

December 26, 2011

One of the most challenging and rewarding aspects of Linux administration is the iptables firewall. To the unenlightened, this can be a confusing black box that breaks your web server and blocks your favorite visitors from viewing your content at the most inconvenient times. This blog is the first in a series aimed at clarifying this otherwise mysterious force at work in your server.

Nothing compares with the frustration of trying to make a program listen on a different port – like if you wanted to configure your mail client to listen on port 2525. Many times, configuring a program the hard way (some would say the "correct" way) using configuration files may not be worth your time and effort ... Especially if the server is running on a control panel that does not natively support this functionality.

Fortunately, iptables offers an elegant solution:

iptables -t nat -A PREROUTING -p tcp --dport 2525 -j REDIRECT --to-ports 25

What this does:

  1. This specifies -t nat to indicate the nat table. Typically rules are added to the "filter" table (if you do not specify another table), and this is where the majority of the traffic is handled. In this case, however, we require the use of the nat table.
  2. This rules appends (-A), which means to add the rule at the bottom of the list.
  3. This rule is added to the PREROUTING chain.
  4. For the tcp protocol (-p tcp)
  5. The destination port (--dport) is 2525 - this is the port that the client is trying to access on your server.
  6. The traffic is jumped (-j) to the REDIRECT action. This is the action that is taken when the rule matches.
  7. The port is redirected to port 25 on the server.

As you can see, by changing the protocol to either tcp or udp or by adjusting the dport number and the to-ports number, you can redirect any port incoming to any listening port on the server. Just remember that the dport is the port the client machine is trying to connect to (the port they configure in the mail client, for example).

But check this out: Say for example you have a website (shocking, I know). You don't have a load balancer or a firewall set up, but you want to split off your email traffic to a second server to reduce strain on your web server. Essentially, you want to take incoming port 25 and redirect it ... to ANOTHER SERVER. With iptables, you can make this work:

iptables -t nat -A PREROUTING -p tcp -d 123.123.123.123 --dport 25 -j DNAT --to-destination 10.10.10.10:25

What this does:

  1. It specifies a destination (-d) IP address. This is not needed, but if you want to limit the email redirection to a single address, this is how you can do it.
  2. It is jumped to DNAT, which stands for destination nat.
  3. The destination and port are specified as arguments on to-destination

As you can see, this forwards all traffic on port 25 to an internal IP address.

Now, say you want to redirect from a different incoming port to a port on another server:

iptables -t nat -A PREROUTING -p tcp --dport 5001 -j DNAT --to-destination 10.10.10.10:25
iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE

In this example, the incoming port is different, so we need to change it back to the standard port on the way back out through the primary server.

If you would like further reading on this topic, I recommend this great tutorial:
http://www.karlrupp.net/en/computer/nat_tutorial

Remember, when you are modifying your running configuration of iptables, you will still need to save your changes in order for it to persist on reboot. Be sure to test your configuration before saving it with "service iptables save" so that you don't lock yourself out.

-Mark

Comments

December 27th, 2011 at 1:05am

This is also helpful when dealing with applications that need access to a port number less than 1024, that should not be run as root.

December 27th, 2011 at 3:24am

Always good to see some helpful examples on IPTables.
I usually use a wrapper around IPTables like CSF (http://configserver.com/cp/csf.html) as it simplifies getting the security set up.

January 4th, 2012 at 7:19am

Good point Andrew, I had not considered that aspect.

Barry, I personally prefer to use just the built in iptables functionality, but there certainly is a lot to be said for CSF and APF. It also adds some intrusion detection functionality and some more advanced malicious packet filtering beyond what most people will implement. However, there is definitely merit to knowing how the iptables backend works, since something may go wrong and require a manual fix. The clock is always ticking in the hosting business.

 

October 3rd, 2012 at 1:24am

I'm new to iptables, but don't you also need an "allow" rule in the forwarding chain to allow the packets to be delivered to the correct listening device?

September 27th, 2013 at 2:57am

most good idea is to block all port by default and open each port manually depend on your services, anyway i'm still looking rules for limiting outgoing for smtp, does anyone know how ?

December 17th, 2013 at 7:40am

Hi, very nice article, really clears it up!
Now I have tried to "translate" the following redirect command form iptables to the new nftables. I don't know what they have done to the nftables syntax, but it's just horrible.
Anyway here are my results:
"iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
and came this far:
"nft add rule nat pre tcp dport %port meta oif %iface"
I have no idea if this is correct, and there is still missing the "-j REDIRECT --to-port %rport" command and I have no idea how to "translate" it into the nftables syntax. It appears that "-j REDIRECT" isn't needed at all, but I couldn't find any reference to the "--to-port" command in nftables.

Here's the How-to were I've got the information from: https://home.regit.org/netfilter-en/nftables-quick-howto/

May I kindly ask for your help in this? :)

January 22nd, 2014 at 6:55am

Thank you for sharing! :) Helped me a lot.

On CentOS / RHEL you have to remove / flush some of the default iptables rules to make this work.

Leave a Reply

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • You can enable syntax highlighting of source code with the following tags: <pre>, <blockcode>, <bash>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
To prove you're a person (not a spam script), type the security word shown in the picture.
Image CAPTCHA
Enter the characters shown in the image.

Comments

December 27th, 2011 at 1:05am

This is also helpful when dealing with applications that need access to a port number less than 1024, that should not be run as root.

December 27th, 2011 at 3:24am

Always good to see some helpful examples on IPTables.
I usually use a wrapper around IPTables like CSF (http://configserver.com/cp/csf.html) as it simplifies getting the security set up.

January 4th, 2012 at 7:19am

Good point Andrew, I had not considered that aspect.

Barry, I personally prefer to use just the built in iptables functionality, but there certainly is a lot to be said for CSF and APF. It also adds some intrusion detection functionality and some more advanced malicious packet filtering beyond what most people will implement. However, there is definitely merit to knowing how the iptables backend works, since something may go wrong and require a manual fix. The clock is always ticking in the hosting business.

 

October 3rd, 2012 at 1:24am

I'm new to iptables, but don't you also need an "allow" rule in the forwarding chain to allow the packets to be delivered to the correct listening device?

September 27th, 2013 at 2:57am

most good idea is to block all port by default and open each port manually depend on your services, anyway i'm still looking rules for limiting outgoing for smtp, does anyone know how ?

December 17th, 2013 at 7:40am

Hi, very nice article, really clears it up!
Now I have tried to "translate" the following redirect command form iptables to the new nftables. I don't know what they have done to the nftables syntax, but it's just horrible.
Anyway here are my results:
"iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
and came this far:
"nft add rule nat pre tcp dport %port meta oif %iface"
I have no idea if this is correct, and there is still missing the "-j REDIRECT --to-port %rport" command and I have no idea how to "translate" it into the nftables syntax. It appears that "-j REDIRECT" isn't needed at all, but I couldn't find any reference to the "--to-port" command in nftables.

Here's the How-to were I've got the information from: https://home.regit.org/netfilter-en/nftables-quick-howto/

May I kindly ask for your help in this? :)

January 22nd, 2014 at 6:55am

Thank you for sharing! :) Helped me a lot.

On CentOS / RHEL you have to remove / flush some of the default iptables rules to make this work.

Leave a Reply

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • You can enable syntax highlighting of source code with the following tags: <pre>, <blockcode>, <bash>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
To prove you're a person (not a spam script), type the security word shown in the picture.
Image CAPTCHA
Enter the characters shown in the image.