How do I forward localhost traffic to a remote host with iptables?

iptables centos routing redhat

I would like to set up my CentOS 6.5 box to forward connections to localhost (127.0.0.1) to the same port on a remote machine (e.g. 10.0.3.10).

I've tried the iptables rule below, but when I attempt to connect, it just hangs:

iptables -t nat -I OUTPUT --src 0/0 --dst 127.0.0.1 -p tcp --dport 8888 \
    -j DNAT --to-destination=10.0.3.10:8888

Running tcpdump on the remote machine, I can see that there was no incoming traffic. I've done some google searches, but haven't turned up anything particularly useful. I've also confirmed that my sysctl.conf file contains net.ipv4.ip_forward = 1.

Edit I've added logging in response to one of the comments below. It produces no output when I go to 127.0.0.1:8888 but does produce output when going to 10.0.3.10:

# Generated by iptables-save v1.4.7 on Tue Jul 29 12:52:17 2014
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [11:1008]
:OUTPUT ACCEPT [11:1008]
:LOGGING - [0:0]
-A OUTPUT -p tcp -m tcp -d 10.0.3.10 --dport 8888 -j LOGGING
-A LOGGING -j LOG --log-prefix "IPTABLES: "
-A LOGGING -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.3.10:8
888
COMMIT
# Completed on Tue Jul 29 12:52:17 2014
# Generated by iptables-save v1.4.7 on Tue Jul 29 12:52:17 2014
*filter
:INPUT ACCEPT [50:2776]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:4336]
COMMIT
# Completed on Tue Jul 29 12:52:17 2014

Solution 1:

I do not know how to configure iptables on this machine to do as you want. I usually use in such case SSH tunneling. I find it easy to set-up (personal opinion here!) ;-) but ... you need to have an SSH connection on your localhost (it does not need to be accessible from remote!).

The command syntax in this case is:

ssh -f -C -N -L [<bind address>:]<local port>:<remote host name>:<remote service port> [-p <ssh port>] [<username>@]<remote host outside name>

So for you that would mean:

ssh -f -C -N -L 127.0.0.1:8888:10.0.3.10:8888 localhost

Solution 2:

The trick involves enabling localhost/localnet route processing for your outbound interface with:

sysctl -w net.ipv4.conf.all.route_localnet=1

Then this works:

iptables -t nat -A OUTPUT -m addrtype --src-type LOCAL --dst-type LOCAL -p tcp --dport 8888 -j DNAT --to-destination 10.0.3.10
iptables -t nat -A POSTROUTING -m addrtype --src-type LOCAL --dst-type UNICAST -j MASQUERADE

Related

check several user agent in nginx
How install SSL certificate for RDS on windows server 2016?
Securing WordPress Blog Installation
VMware - Create VM out of a current desktop
/var is using 91.4% of 3.99GB in new Ubuntu dedicated server from 1and1
lots of failed SSH login attempts - should I be concerned? [duplicate]
Why query params are not reaching the interface?
Is there an open source email client that will work with Exchange 2007?
Oracle difference between SID, DB Name, DB Domain, Global Database Name, Service Name, Service Alias and Instance Name
Redirect nohup to stdout
What alternatives do I have for telephony if my LEC says the Central Office has an issue?
Windows File Permissions and Attributes