Problem trying to forward port to a specific interface using iptables

metzenas

New Member
Joined
Aug 18, 2022
Messages
2
Reaction score
0
Credits
46
Hi,

I have a bit unusual problem regarding port forwarding with iptables and any help would be appreciated.

I am building a testing environment for a bunch of prototype/testing equipment. I have 51 of these devices connected to a managed network switch and each port has it's own VLAN id. Trunk port is connected to Ubuntu server 22.04 interface where all of the 51 VLANs are opened as their own virtual interfaces like this:

ts_mgmt.4001: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::203:e0ff:fe5e:ac1 prefixlen 64 scopeid 0x20<link>
ether 00:03:e0:5e:0a:c1 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 145 bytes 13534 (13.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ts_mgmt.4002: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::203:e0ff:fe5e:ac2 prefixlen 64 scopeid 0x20<link>
ether 00:03:e0:5e:0a:c2 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 211 bytes 20151 (20.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ts_mgmt.4003: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::203:e0ff:fe5e:ac3 prefixlen 64 scopeid 0x20<link>
ether 00:03:e0:5e:0a:c3 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 173 bytes 16671 (16.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
etc.

I have management interface at the server that receives outside connections:

rnd: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.20.13 netmask 255.255.248.0 broadcast 172.30.23.255
inet6 fe80::f66b:8cff:fe82:1c73 prefixlen 64 scopeid 0x20<link>
inet6 fd00:0:1:1:f66b:8cff:fe82:1c73 prefixlen 64 scopeid 0x0<global>
inet6 2001:14b8:1840:4f00:f66b:8cff:fe82:1c73 prefixlen 64 scopeid 0x0<global>
ether f4:6b:8c:82:1c:73 txqueuelen 1000 (Ethernet)
RX packets 40442831 bytes 2966465584 (2.9 GB)
RX errors 0 dropped 24506624 overruns 0 frame 0
TX packets 236257 bytes 254628483 (254.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 23 memory 0xa3300000-a3320000


I need to port forward for example SSH from port 4201 of the rnd interface to port 22 of the device in the VLAN 4001, port 4202 to port 22 of the device in the VLAN 4002 etc.

The issue is that I wont be able to change the IP addresses of the devices from the default 192.168.0.100, so each VLAN has a device with the same IP address. For that reason I would need to be able to specify the interface where to forward the ports.

I tried variations of this:
sudo iptables -i rnd --append PREROUTING -o ts_mgmt.4009 --table nat --protocol tcp --destination 172.30.20.13 --dport 4209 --jump DNAT --to-destination 192.168.0.100:22
However I got an error:
iptables v1.8.7 (nf_tables): Can't use -o with PREROUTING

Do I have a wrong approach here? I really don't care how to accomplish this so any ideas are welcome.

Thank you for any help in this matter.
 


dos2unix

Well-Known Member
Joined
May 3, 2019
Messages
1,472
Reaction score
1,074
Credits
9,160
How many NICs do you have? Are you trying to do this thru your main NIC ?
 
OP
M

metzenas

New Member
Joined
Aug 18, 2022
Messages
2
Reaction score
0
Credits
46
How many NICs do you have? Are you trying to do this thru your main NIC ?
I have 7 NICs currently in use, but only the one with rnd interface (172.30.20.13) will need to be listening for incoming connections and all the 51 VLAN networks are on another NIC that is connected to the trunk-port of the network switch. The listening interface is renamed to rnd just to make identification easier since the list of interfaces is long.

This server doesn't really have a main NIC. It just has a bunch of interfaces connected to different networks and most of the time server is disconnected from the internet since we don't want to accidentally flood some test traffic outside.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation


Top