I have a server bound to localhost:7060
. It is using ipv6 socket instead of ipv4. Below is netstat outout.
# netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.200.32.98:1720 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4122 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4123 127.0.0.1:43051 ESTABLISHED
tcp 0 0 10.200.32.98:5555 10.200.32.44:53162 ESTABLISHED
tcp6 0 0 :::5060 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:7060 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.142:43505 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:43051 ::ffff:127.0.0.1:4123 ESTABLISHED
tcp6 0 0 ::ffff:10.200.32.98:23 ::ffff:10.200.32.44:53195 ESTABLISHED
udp6 0 0 :::5060 :::* CLOSE
#
I want to setup a port forwarding rule that accepts connections on port 24 (on all interfaces loopback as well as eth0) and forward the data to localhost:7060
.
This is how I am setting up the iptables rule:
iptables -t nat -A PREROUTING -p tcp –dport 24 -j DNAT –to 127.0.0.1:7060**
It is not working. When I telnet from different box, I see the following
$telnet 10.200.32.98 24
Trying 10.200.32.98…
If I change the server to bind to *:7060
and set the following rule, it seems to work fine.
iptables -t nat -A PREROUTING -p tcp –dport 24 -j REDIRECT –to-port 7060
But that will make my server available on WAN interface which I don't like.
I feel it had something to do with ipv6 socket (tcp6 line in netstat output). This whole thing is done on an Android device with custom built Android platform image.
How do I get this working?
Best Answer
When the response packets coming back from port 7060 and being sent to the router, these packets also need a sender mask operation for it, to mask these packets source address to router's address(127.0.0.1) and port as 24.So you need to add a SNAT iptables rule to make it work.
Even though the packets is generated by localhost, it will also go into the POSTROUTER chain. REDIRECT operation automatically do these two things for you, but if your service is on another server in your local net, you have to use SNAT and DNAT.