Iptables dnat/snat rule internal

Question

I am trying to redirect port 80 to an internal IP (192.168.33.52) with IPtables. But if a open tcpdump with port 80 i see:

04:36:59.848744 IP 1.2.3.4.59936 > 192.168.33.52.http: Flags [S], seq 2560507980, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

How can a rewrite our public IP 1.2.3.4 to our intern IP 192.168.33.200? And 192.168.33.200 is redirecting the traffic back to the clients?

Network Interface:

eth0 - 1.2.3.4 (public IP) eth0:0 - 192.168.33.200 (private IP)

Webserver: 192.168.33.52

My iptables rules:

target prot opt source destination

DNAT tcp -- 0.0.0.0/0 1.2.3.4 tcp dpt:80 to:192.168.33.52:80

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

SNAT tcp -- 0.0.0.0/0 192.168.33.52 to:1.2.3.4

Bogdan Stoica Bogdan Stoica · Accepted Answer · 2017-07-04T12:40:54

Save the script bellow as script.sh, then make it executable (chmod +x script.sh), then run it with ./script.sh

The iptables rules that you need are as follows:

#!/bin/bash

# enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# define vars
LOCALNET="192.168.33.0/24"
WAN="eth0"
WANIP="PUBLIC_IP"
WEBSERVER="192.168.33.52"

# enable traffic from the local network to the internet
iptables -t nat -A POSTROUTING -s $LOCALNET -o $WAN -j MASQUERADE

# HTTP to the local web server from the outside world
iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80
iptables -t nat -A POSTROUTING -d $WEBSERVER -p tcp --dport 80 -j MASQUERADE

Iptables dnat/snat rule internal

1 Answers