{"id":987,"date":"2014-04-27T02:37:23","date_gmt":"2014-04-27T02:37:23","guid":{"rendered":"https:\/\/trouble.org\/?p=987"},"modified":"2014-06-22T16:56:07","modified_gmt":"2014-06-22T16:56:07","slug":"from-a-on-b-to-c-on-d","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=987","title":{"rendered":"From A on B to C on D"},"content":{"rendered":"

I find iptables to be a bit of a beast… so for posterity (or my own sanity, in case I lost this, I might recover from search engine caches!) this simply forwards a port (A) of a certain protocol from one host (B) to a second port (C) on a 2nd IP (D). Linux only, unless your OS happens to support iptables… no error checking, although it will echo usage out if you don’t give it any arguments.<\/p>\n

(Slight edit to fix $proto problem on 6\/21\/14, thanks to Eric M!)<\/p>\n

#!\/bin\/bash<\/span>
\n
\n#<\/span>
\n# forward a port with iptables (linux)... usage:<\/span>
\n#<\/span>
\n#   $0 up|down port-1 ipaddr-2 port-2 protocol<\/span>
\n#<\/span>
\n# XXX - warning - it will forward the port on ALL ip addrs other than<\/span>
\n# the loopback and any VPN interfaces to the destination.<\/span>
\n#<\/span>
\n# E.g.<\/span>
\n#<\/span>
\n#   $0 up 666 192.168.0.2 777 tcp<\/span>
\n#<\/span>
\n#  Would connect anyone going for:<\/span>
\n#<\/span>
\n#       tcp port 666 on any IP that the system answers to<\/span>
\n#<\/span>
\n#  And redirects it instead to:<\/span>
\n#<\/span>
\n#       tcp port 777 on 192.168.0.2<\/span>
\n#<\/span>
\n# If you use "down" you must use the EXACT same arguments as with the "up" <\/span>
\n# command or won't work (at least, I think... iptables is pretty mysterious... <\/span>
\n# you could always flush them.<\/span>
\n#<\/span>
\n#  No error checking, although (a) iptables usually will gripe if it doesn't <\/span>
\n# like your arguments, and (b) it'll print out the usage message if you don't <\/span>
\n# use exactly 6 arguments.<\/span>
\n#<\/span>
\n# The "up" command will also turn on ipforwarding by running this:<\/span>
\n#<\/span>
\n#    echo "1" > \/proc\/sys\/net\/ipv4\/ip_forward<\/span>
\n#<\/span>
\n# The "down" command WILL NOT set that to 0, if you want that turned off<\/span>
\n# you have to do it yourself (it might break other things in my system.)<\/span>
\n#<\/span>
\n
\nif<\/span> [<\/span> $#<\/span> -ne<\/span> 5<\/span> ]<\/span> ; then<\/span>
\n   echo<\/span> "Usage: $0 up|down port-1 ip-2 port-2 tcp|udp"<\/span>
\n   exit<\/span> 1<\/span>
\nfi<\/span>
\n
\n# up or down?<\/span>
\nif<\/span> [<\/span> "X$1"<\/span> = "Xup"<\/span> ]<\/span> ; then<\/span>
\n    direction<\/span>="up"<\/span>
\nelif<\/span> [<\/span> "X$1"<\/span> = "Xdown"<\/span> ]<\/span> ; then<\/span>
\n    direction<\/span>="down"<\/span>
\nelse<\/span>
\n    echo<\/span> First argument must be either "up"<\/span> or "down"<\/span>
\n    exit<\/span> 2<\/span>
\nfi<\/span>
\n
\nlocal_port<\/span>=$2<\/span>
\nremote_ip<\/span>=$3<\/span>
\nremote_port<\/span>=$4<\/span>
\nproto<\/span>=$5<\/span>
\n
\n# will not reverse this, as other stuff might break, but ensure it's on!<\/span>
\necho<\/span> "1"<\/span> ><\/span> \/<\/span>proc\/<\/span>sys\/<\/span>net\/<\/span>ipv4\/<\/span>ip_forward
\n
\n# get the ip addrs for a host, in its mind<\/span>
\nall_ips<\/span>=$(<\/span>ifconfig<\/span> |<\/span> awk<\/span> '{if (n) { all[dev] = substr($2, match($2, ":") + 1); n = 0 }} {if (match($0, "^[^ \\t]") && $1 != "lo") { n = 1; dev = $1; all[dev]="" }} END { for (i in all) printf("%s ", all[i]) ; print ""}'<\/span>|<\/span> sed<\/span> 's\/,]$\/]\/'<\/span>)<\/span>
\n
\nif<\/span> [<\/span> $direction<\/span> = "up"<\/span> ]<\/span> ; then<\/span>
\n    for<\/span> ip<\/span> in<\/span> $all_ips<\/span>; do<\/span>
\n        echo<\/span> "forwarding $proto<\/span> traffic from $ip<\/span> : $local_port<\/span> => $remote_ip<\/span> : $remote_port<\/span>"<\/span>
\n        echo<\/span> iptables -t<\/span> nat -A<\/span> PREROUTING  -i<\/span> eth0 -p<\/span> $proto<\/span> -d<\/span> $ip<\/span> --dport<\/span> $local_port<\/span>   -j<\/span> DNAT --to-destination<\/span> $remote_ip<\/span>:$remote_port<\/span>
\n             iptables -t<\/span> nat -A<\/span> PREROUTING  -i<\/span> eth0 -p<\/span> $proto<\/span> -d<\/span> $ip<\/span> --dport<\/span> $local_port<\/span>   -j<\/span> DNAT --to-destination<\/span> $remote_ip<\/span>:$remote_port<\/span>
\n
\n        echo<\/span> iptables -t<\/span> nat -A<\/span> POSTROUTING -o<\/span> tun0 -p<\/span> $proto<\/span> --dport<\/span> $remote_port<\/span> -j<\/span> MASQUERADE
\n             iptables -t<\/span> nat -A<\/span> POSTROUTING -o<\/span> tun0 -p<\/span> $proto<\/span> --dport<\/span> $remote_port<\/span> -j<\/span> MASQUERADE
\n
\n    done<\/span>
\nelse<\/span>
\n    for<\/span> ip<\/span> in<\/span> $all_ips<\/span>; do<\/span>
\n        echo<\/span> "disabling forwarding of $proto<\/span> traffic from $ip<\/span> : $local_port<\/span> => $remote_ip<\/span> : $remote_port<\/span>"<\/span>
\n        echo<\/span> iptables -t<\/span> nat -D<\/span> PREROUTING  -i<\/span> tun0 -p<\/span> $proto<\/span> -d<\/span> $ip<\/span> --dport<\/span> $local_port<\/span>   -j<\/span> DNAT --to-destination<\/span> $remote_ip<\/span>:$remote_port<\/span>
\n             iptables -t<\/span> nat -D<\/span> PREROUTING  -i<\/span> tun0 -p<\/span> $proto<\/span> -d<\/span> $ip<\/span> --dport<\/span> $local_port<\/span>   -j<\/span> DNAT --to-destination<\/span> $remote_ip<\/span>:$remote_port<\/span>
\n
\n        echo<\/span> iptables -t<\/span> nat -D<\/span> POSTROUTING -i<\/span> eth0 -p<\/span> $proto<\/span> --dport<\/span> $remote_port<\/span> -j<\/span> MASQUERADE
\n             iptables -t<\/span> nat -D<\/span> POSTROUTING -o<\/span> eth0 -p<\/span> $proto<\/span> --dport<\/span> $remote_port<\/span> -j<\/span> MASQUERADE
\n
\n    done<\/span>
\nfi<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

I find iptables to be a bit of a beast… so for posterity (or my own sanity, in case I lost this, I might recover from search engine caches!) this simply forwards a port (A) of a certain protocol from one host (B) to a second port (C) on a 2nd IP (D). Linux only, […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,146,4,6],"tags":[265,270,271],"class_list":["post-987","post","type-post","status-publish","format-standard","hentry","category-code","category-hack","category-security","category-tech","tag-blah-blah","tag-i-hate-iptables","tag-port-forwarding"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/987","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=987"}],"version-history":[{"count":6,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/987\/revisions"}],"predecessor-version":[{"id":1010,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/987\/revisions\/1010"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}