Hello,


on one server, the iptables rule like:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 48280 -j DNAT --to 10.8.0.2:48280


worked to forward server's incoming traffic at mentioned port into the VPN tunnel where the VPN client network interface has IP 10.8.0.2. Port appeared as open.

Now when i tried the same rule on different server, the port appears closed, even i tried to disable client's firewall.


The ifconfig shows the server has only lo, eth0 and tun0 interfaces so eth0 should be correct.


Please what is the commands you would do to discover where the incoming traffic is stuck?


some details about the server:

Redhat based CentOS 7, kernel 3.10, iptables v1.4.21

lsmod|grep nat


xt_nat 12681 6

nf_nat_masquerade_ipv4 13430 1 ipt_MASQUERADE

iptable_nat 12875 1

nf_nat_ipv4 14115 1 iptable_nat

nf_nat 26583 3 nf_nat_ipv4,xt_nat,nf_nat_masquerade_ipv4

nf_conntrack 139224 5 nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ ipv4,nf_conntrack_ipv4

ip_tables 27126 5 iptable_security,iptable_filter,iptable_mangle,ipt able_nat,iptable_raw

libcrc32c 12644 3 xfs,nf_nat,nf_conntrack

iptables-save|egrep -i "reject|drop|deny"


:POST_public_deny - [0:0]

:PRE_public_deny - [0:0]

-A POST_public -j POST_public_deny

-A PRE_public -j PRE_public_deny

:PRE_public_deny - [0:0]

-A PRE_public -j PRE_public_deny

:PRE_public_deny - [0:0]

-A PRE_public -j PRE_public_deny

:FWDI_public_deny - [0:0]

:FWDO_public_deny - [0:0]

:IN_public_deny - [0:0]

-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP

-A INPUT -m conntrack --ctstate INVALID -j DROP

-A INPUT -p udp -m udp --dport 1701 -j DROP

-A FORWARD -m conntrack --ctstate INVALID -j DROP

-A FORWARD -j DROP

iptables-save|egrep -i nat

*nat

-A PREROUTING -p tcp -m tcp --dport 12345 -j DNAT --to-destination 127.0.0.1:1082

-A PREROUTING -s 107.186.1.0/24 -p tcp -m tcp --dport 21 -j DNAT --to-destination 1.2.3.4:21

-A PREROUTING -i eth0 -p udp -m udp --dport 48281 -j DNAT --to-destination 10.8.0.2:48281

-A PREROUTING -i eth0 -p udp -m udp --dport 8889 -j DNAT --to-destination 10.8.0.2:8889

-A PREROUTING -i eth0 -p tcp -m tcp --dport 48280-j DNAT --to-destination 10.8.0.2:48280

-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 1.2.3.4
(1.2.3.4 being server's public IP)


Regarding client, it is Windows 10