Have you ever faced any trouble while doing iptables UDP port forwarding? We can help you with it.
A few days ago, we received a request to do port forwarding using iptables to keep unwanted traffic off networks.
At Bobcares, we often get queries regarding port forwarding as part of our Server Management Services.
Today, let’s see how our Support Engineers do port forwarding efficiently using iptables.
Why we do ‘iptables port forwarding’?
Have any idea about port forwarding? Port forwarding forwards requests for a specific port to another host, network, or port.
We do port forwarding as it protects servers and clients from unwanted access. And, it limits access to and from a network.
By the way, port forwarding is simple to do with iptables.
PREROUTING Chain
Iptables have three different tables in the kernel: filter, nat(network address translation) and mangle table.
Among these, we use the nat table for address translation. It can change the source and/or target IP address in packets.
Usually, It has two chains: PREROUTING and POSTROUTING.
We use the PREROUTING chain when the destination address of the packet needs to be changed.
The nat table’s PREROUTING chain inspects the packet entering the firewall to see whether it requires destination modification (DNAT).
Here is a screenshot of how the packets process in the chain.
How does iptables UDP port forwarding occur?
So far we have discussed port forwarding. Now, let’s check how to do port forwarding using iptables.
Recently, one of our customers approached us with a request to do port forwarding.
He has two stream sources to his server on the same UDP port from two different IPs.
19x.16x.1.2:1003 via UDP to 19x.16x.1.4 (server)
19x.16x.1.3:1003 via UDP to 19x.16x.1.4 (server)
Our Support Engineers used the prerouting chain to forward the requested port. We used the below command.
iptables -t nat -A PREROUTING -p UDP -i eth0 -d 19x.16x.1.2 --dport 1003 -j DNAT --to-destination 19x.16x.1.2:1004
This rule indicates that all incoming UDP connections to the port 1003 should be sent to port 1004 of 192.168.1.2.
Here, -dport sets the destination port and DNAT indicates the packet’s destination address.
Allow traffic to port
But, we normally deny all the incoming connections to a gateway machine by default.
This is to reduce the security risk of opening all the ports and services. And, we only open the ports for the services that we use.
Therefore, in this case, to allow traffic on the port 1004, we use the below command.
iptables -A FORWARD -p UDP -d 19x.16x.1.2 --dport 1004 -j ACCEPT
So, by using these commands, we forwarded the ports as required by the customer.
[Need more help in port forwarding using iptables?- We’ll help you.]
Conclusion
In short, iptables UDP port forwarding keeps unwanted traffic off networks. In today’s writeup, we discussed port forwarding using iptables and saw how our Support Engineers do it efficiently.
I have been searching for an answer to a very specific problem I was having with RHEL, Nested Virtualization, and iptables. I’ve been searching for DAYS, going over every stack overflow question and answer multiple times.
THIS PAGE is the only thing that made my problem make sense, finally allowing me to solve it. From the bottom of my now pit-black soul – Thank you!
I am seeing iptables erroe while forwarding snmp-traps from same server port to different port. can you plz help me.
iptables -t nat -A PREROUTING -p UDP -i bond0 -d 10.10.10.10 –dport 162 -j DNAT –to-destination 10.194.236.246:9980
iptables -A FORWARD -p UDP -d 10.10.10.10 –dport 9980 -j ACCEPT
Hi Rakesh,
Please contact our support through live chat(click on the icon at right-bottom).