[LINUX] Port forwarding your web server using iptables

Overview

Describes how to forward (that is, port forwarding) the "host name: port number" of one web server to "another host: port number" on Linux. To realize this, use "iptables" that is installed as standard on CentOS and Ubuntu. The content introduced this time can probably be realized with firewalld etc. which is included by default in CentOS 7 or later, but as a result of searching for a method of port forwarding that does not depend on the environment as much as possible, I decided to use iptables. There are some articles that introduce port forwarding methods with iptables, but even if I tried those methods obediently, it did not work, and I was quite addicted to the realization, so I will summarize it again in this article. Only the http (https) protocol has been confirmed to work this time, but if it is TCP communication, it should work with other protocols (ssh, ftp, etc.).

Configuration you want to realize

• The IP address of the web server (forwarding destination) is 23.45.67.89, and the port is 80.
• The IP address of the forwarding server for which port forwarding is set is 192.168.1.4
• When the client requests http://192.168.1.4:10080 to the transfer source server, the transfer source server port-forwards to the web server and http://23.45.67.89:80 Request to the site.
• After sending the request, the response returned by the web server can be viewed on the client.

Implementation by iptables

Execute the following command on the transfer source server

(1) PREROUTING chain

• Client Incoming request translates destination IP address and port
• --dport: Destination port number before conversion
• --to-destination: Converted "destination IP: port number"

$ sudo iptables -t nat -A PREROUTING -p tcp \
                --dport 10080 -j DNAT \
                --to-destination 23.45.67.89:80

(2) POSTROUTING chain

• Description of packets going out from the forwarding server
• --d: Translated IP address
• --dport: Destination port number after conversion
• -j MASQUERADE: Perform IP masquerade

$ sudo iptables -t nat -A POSTROUTING -p tcp \
                -d 23.45.67.89 --dport 80 \
                -j MASQUERADE

• What we are doing specifically in IP Masquerade is the process of converting the source IP address from "client" to "transfer source server (192.168.1.4)". An arbitrary value is assigned to the port number each time communication is performed.

(3) FORWARD chain

• A description required to allow the passage of packets sent from the client.

• In the case of TCP communication, two-way communication is performed by a method called 3way-handshake, so it is necessary to make settings to allow both communications.

• Reference site: Firewall made with Linux [Packet filtering settings]

• The command to allow packets to pass to "client → web server" is as follows

$ sudo iptables -A FORWARD -p tcp \
                -d 23.45.67.89 --dport 80 \
                -j ACCEPT

• On the other hand, the command to allow packets to pass to "web server → client" is as follows
• Since the setting is in the reverse direction, the options that describe the IP address and port of the web server must be " -s: source address" and "" --sport``: source port number. Note
• The description on the second line ""! --Syn -m state --state ESTABLISHED`` "is a description to allow only communication that meets specific conditions. If you don't care about security, you can omit it.

$ sudo iptables -A FORWARD -p tcp \
                ! --syn -m state --state ESTABLISHED \
                -s 23.45.67.89 --sport 80 \
                -j ACCEPT

(4) OUTPUT chain

• Described when you want to port forward the request from the forwarding server as well.
• The writing method is the same as PREROUTING in (1) except that the chain name is OUPUT.

$ sudo iptables -t nat -A OUTPUT -p tcp \
                --dport 10080 -j DNAT \
                --to-destination 23.45.67.89:80