To redirect a single port with IPTables:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 123 -j REDIRECT --to-port 124

This example redirects TCP port 123 to port 124. It can also be used for UDP.

Simple little rule to drop XMAS (All flags in a TCP Packet Set, hence “lit up like an Xmas tree!”) and NULL port scans (No flags set).

iptables -t nat -A PREROUTING -p tcp –tcp-flags ALL ALL -j DROP
iptables -t nat -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP

You can add these rules to a seperate chain for TCP if you have a high traffic firewall. More information on chains here.

A Linksys WRT54G provides a cheap and easy Linux platform in a small physical package. I use the DD-WRT firmware available from www.dd-wrt.com.

Dynamic Network Address Translation maps several internal addresses to a single external address. All connections appear to come from that address. It is desirable sometimes to have static NAT where several external addresses that are forwarded to internal hosts.

For example:

195.167.182.123 -> 10.0.0.1
195.167.182.124 -> 10.0.0.2
195.167.182.125 -> 10.0.0.x

It may be useful to have a “catch all” address that other addresses can be translated to, this is shown in the last line of the example above.

Firstly add the external aliases to the external interface of the WRT54G, which is vlan1.

ifconfig vlan1:1 195.167.182.124 netmask 255.255.255.248 broadcast 195.167.182.127
ifconfig vlan1:2 195.167.182.125 netmask 255.255.255.248 broadcast 195.167.182.127

The catch all address is already specified as the routers external address.

The following IPTables commands will add NAT for these addresses, and ensure all other traffic is translated to the main address.

# Default accept all.
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

# Clear all chains.
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done

# Reset counters.
iptables -Z

# Allow new connections, to and from the router.
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
# Allow established and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Nat mapping for 195.167.182.123 -> 10.0.0.1
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.123 -j DNAT --to-destination 10.0.0.1
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.1 -j SNAT --to-source 195.167.182.123

# Nat mapping for 195.167.182.124 -> 10.0.0.2
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.1241 -j DNAT --to-destination 10.0.0.2
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.2 -j SNAT --to-source 195.167.182.124

# NAT all other connections.
iptables -t nat -A POSTROUTING -o vlan1 -s 10.0.0.0/24 -j MASQUERADE

# Fix mss.
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1421:65535 -j TCPMSS --clamp-ms