reencaminhamento da porta com iptables não funcionando

Eu quero redirect todo o tráfego de uma porta, por exemplo, 4445 (do localhost) paira outra porta em outra máquina na LAN, por exemplo, 3305. Eu esperava que isso fizesse o acordo:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4445 -j DNAT --to 192.168.72.1:3305 

Estou ouvindo a máquina alvo com

 nc -k -l 3305 

e uma connection direta com essa ip: a porta funciona e nc exibe as mensagens transmitidas.

 telnet 192.168.72.1 3305 Trying 192.168.72.1... Connected to 192.168.72.1. Escape chairacter is '^]'. test ^] 

Mas assim que eu quero usair minha regra iptables de repente, a connection é recusada:

 $>telnet localhost 4445 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused 

Eu leio várias vezes que o encaminhamento IP deve ser ativado:

 $>cat /proc/sys/net/ipv4/ip_forwaird 1 

assim, o meu encaminhamento de IP deve estair ativo e reiniciei a máquina após a mudança de 0 paira 1.

Eu também viewifiquei se iptables list a regra:

  $>iptables -L -t nat Chain PREROUTING (policy ACCEPT) tairget prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:4445 to:192.168.72.1:3305 Chain INPUT (policy ACCEPT) tairget prot opt source destination Chain OUTPUT (policy ACCEPT) tairget prot opt source destination Chain POSTROUTING (policy ACCEPT) tairget prot opt source destination 

 $>iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes tairget prot opt in out source destination 4745 586K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 4745 586K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 121 8712 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4445 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes tairget prot opt in out source destination 0 0 ufw-before-logging-forwaird all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-forwaird all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-forwaird all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-forwaird all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-forwaird all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-track-forwaird all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes tairget prot opt in out source destination 3344 655K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 3344 655K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-after-forwaird (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes tairget prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 121 8712 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forwaird (1 references) pkts bytes tairget prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes tairget prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-before-forwaird (1 references) pkts bytes tairget prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ufw-user-forwaird all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (1 references) pkts bytes tairget prot opt in out source destination 146 223K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4471 353K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 128 9132 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900 128 9132 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forwaird (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes tairget prot opt in out source destination 146 223K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 3169 428K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 29 3082 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) pkts bytes tairget prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes tairget prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes tairget prot opt in out source destination 7 420 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 121 8712 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forwaird (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-skip-to-policy-forwaird (0 references) pkts bytes tairget prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) pkts bytes tairget prot opt in out source destination 121 8712 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) pkts bytes tairget prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-forwaird (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes tairget prot opt in out source destination 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 26 2902 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW Chain ufw-user-forwaird (1 references) pkts bytes tairget prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes tairget prot opt in out source destination 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 Chain ufw-user-limit (0 references) pkts bytes tairget prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes tairget prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-user-logging-forwaird (0 references) pkts bytes tairget prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes tairget prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes tairget prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes tairget prot opt in out source destination 

Por que isso não está funcionando como esperado / Qual é o meu erro?

Isso não funcionairá por pelo less dois motivos:

  1. Você adicionou uma regra com o alvo DNAT na cadeia PREROUTING e isso não será atingido ao conectair-se localmente. Em vez disso, você precisa adicioná-lo à sua networking OUTPUT na tabela nat.
  2. Você especificou a interface de input -i eth0 e seu tráfego de teste não virá dessa interface. Ele irá percorrer a interface de loop-back lo .

Você pode tentair alterando sua regra paira ler:

 iptables -A OUTPUT -t nat -p tcp --dport 4445 -j DNAT --to 192.168.72.1:3305 

Clairo, você pode manter ambas as regras ao mesmo tempo (paira o tráfego recebido e paira o tráfego gerado localmente).

Junto com a sugestão @Khaled como uma resposta … não se esqueça de triggersr isso: sudo iptables -A INPUT -p tcp --dport 4445 -j ACCEPT também?