iptables to the rescue
The power of the Linux OS never ceases to amaze me. Recently at work I was working on an upgrade of a customer. We managed to forget to capture one of the required steps to complete the upgrade effectively which was to ask the customer to add a new IP address and port number to their outgoing firewall rules so that our software could connect to the new service. Since we had forgotten to do this the software was unable to connect and I began looking for work arounds.
My first attempt was to use a custom NAT rule in our Cisco ASA so I contacted our service provider and asked them to set this up for us. This rule needed to identify the incoming packets by the source IP and the destination port and redirect these to a different internal IP address and port than the default NAT rule that is in place for that server.
After 1/2 hour of attempts they told me they were unable to complete my request and that it could not be done. I fully expect it could be done just that the tech didn’t know how to do it. With my plan B option out of the way I figured I would try to make it happen myself using iptables rules.
Since the connection to the old server was still allowed by the customers firewall I access that server and added some rules to my iptables PREROUTING and POSTROUTING tables. Before I did this I had to enable Ip forwarding in the linux kernel.
echo "1" > /proc/sys/net/ipv4/ip_forward
Once this was done I added the following two rules:
iptables -t nat -A PREROUTING -p tcp -s 220.127.116.11 –dport 1111 -j DNAT –to-destination 18.104.22.168:1112
iptables -t nat -p tcp --dport 1112 -A POSTROUTING -j MASQUERADE
Thinking this was all I needed I set about testing only to find that it was not working. I eventually remembered that the default policy on the FORWARD table was to DROP the packets so I had to add the following rule to correct that:
iptables -A FORWARD -p tcp -s 22.214.171.124 -d 126.96.36.199 --dport 1112 -j ACCEPT
Once this was done the redirection of the old port was working and I was able to get my customer connected to the new service without them having made the change to their outgoing firewall rules.