We Keep Coding

AWS ubuntu iptable port forwarding between its two interfaces

I have an AWS ubuntu instance with the following network interfaces:
ens5, ip: 172.XX.XX.XX
A5TAP, ip:192.168.233.1 (VPN)
How do I udp port forward port 10000-10200 to 192.168.233.52:10000-10200?
I tried a the obvious commands below for a single port 10009, but it is not working:
sudo iptables -t nat -A PREROUTING -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
sudo iptables -t nat -A POSTROUTING -p udp -d 192.168.233.52 --dport 10009 -j SNAT --to-source 172.XX.XX.XX
sudo iptables -t nat -L -n
=======What I tried so far:
I am trying to port forward port 10009 all udp traffic to ens5, to 192.168.233.52 in A5TAP:
172.XX.XX.XX:10009 -> 192.168.233.52:10009
The udp stream is a video stream.
I followed this tutorial, but it is not working. As when I shoot the udp stream to 172.XX.XX.XX:10009, no video is showing.
If I do sudo tcpdump -i ens5 -n udp port 10009:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
14:08:51.035226 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 1400
14:08:51.035703 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 510
(and so on....)
That means my AWS instance is receiving the video stream from my machine.
But when I do sudo tcpdump -i A5TAP -n udp port 10009, there are no traffics.
If I joined the machine with video stream to A5TAP VPN, and send udp stream to 192.168.233.52:10009, I can see the stream.
Thanks to maxstr's answer, the port forwarding between interfaces in the same machine worked:
sudo tcpdump -i A5TAP -n udp port 10009:
07:45:53.701800 IP 192.168.233.1.49538 > 192.168.233.52.10009: UDP, length 700

I believe what you want is the following:
sudo iptables -t nat -A OUTPUT -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
because the PREROUTING chain will not be in the path of local outbound traffic. OUTPUT will.

Ubuntu 14.01 Host / Ubuntu 14.01 Container; Postfix does not send mail; telnet does not connect to outside host

==== Basic information ====
iRedMail version (check /etc/iredmail-release): iRedMail-0.9.5-1
Linux/BSD distribution name and version: Ubuntu 14.01 container inside Ubuntu 14.01 TurnkeyLinux Core
Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
Web server (Apache or Nginx): Apache
Postfix log excerpt:
Jan 6 10:24:38 iredmail postfix/submission/smtpd[2631]: connect from x.y.z[127.0.0.1]
Jan 6 10:24:38 iredmail postfix/submission/smtpd[2631]: Anonymous TLS connection established from x.y.z[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jan 6 10:24:38 iredmail postfix/submission/smtpd[2631]: 6EEA060306: client=x.y.z[127.0.0.1], sasl_method=LOGIN, sasl_username=address#x.y.z
Jan 6 10:24:38 iredmail postfix/cleanup[2636]: 6EEA060306: message-id=
Jan 6 10:24:38 iredmail roundcube: User iaaberga [192.168.121.1]; Message for destination#gmail.com; 250: 2.0.0 Ok: queued as 6EEA060306
Jan 6 10:24:38 iredmail postfix/qmgr[2587]: 6EEA060306: from=, size=575, nrcpt=1 (queue active)
Jan 6 10:24:38 iredmail postfix/submission/smtpd[2631]: disconnect from x.y.z[127.0.0.1]
Jan 6 10:24:38 iredmail postfix/smtpd[2648]: connect from x.y.z[127.0.0.1]
Jan 6 10:24:38 iredmail postfix/smtpd[2648]: C97F262D1B: client=x.y.z[127.0.0.1]
Jan 6 10:24:38 iredmail postfix/cleanup[2636]: C97F262D1B: message-id=
Jan 6 10:24:38 iredmail postfix/qmgr[2587]: C97F262D1B: from=, size=1628, nrcpt=1 (queue active)
Jan 6 10:24:38 iredmail postfix/smtpd[2648]: disconnect from x.y.z[127.0.0.1]
Jan 6 10:24:38 iredmail amavis[1742]: (01742-01) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:35413 -> , Queue-ID: 6EEA060306, Message-ID: , mail_id: 4QjhhYZODSHf, Hits: -2.986, size: 575, queued_as: C97F262D1B, dkim_new=dkim:y.z, 328 ms, Tests: [ALL_TRUSTED=-1,RP_MATCHES_RCVD=-3.199,TVD_RCVD_SINGLE=1.213]
Jan 6 10:24:38 iredmail postfix/smtp[2642]: 6EEA060306: to=, relay=127.0.0.1[127.0.0.1]:10026, delay=0.4, delays=0.05/0.01/0.01/0.33, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C97F262D1B)
Jan 6 10:24:38 iredmail postfix/qmgr[2587]: 6EEA060306: removed
Jan 6 10:24:47 iredmail postfix/smtp[2618]: connect to mx6.mail.icloud.com[17.172.34.71]:25: Connection timed out
Jan 6 10:24:47 iredmail postfix/smtp[2622]: connect to alt1.gmail-smtp-in.l.google.com[173.194.69.27]:25: Connection timed out
====
Hi!
I did install iRedmail as an lxc container on an Ubuntu 14.01 / Ubuntu 14.01 host/container system.
While I can receive emails, Postfix does not send messages (that appear to be sent out in the webmail client, but do never arrive at dest).
From the container level connectivity seems to work in general: I can ssh to some host I have access to; I can use apt-get tools to install new sw, etc.
Trying to telnet alt1.gmail-smtp-in.l.google.com on port 25 does not succeed (if done from inside the container).
root#iredmail ~# telnet alt1.gmail-smtp-in.l.google.com 25
Trying 173.194.69.26...
Eventually the connection will fail.
If I do exit from the container and try the same telnet connection, all is well
root#lxc ~# telnet alt1.gmail-smtp-in.l.google.com 25
Trying 173.194.69.27...
Connected to alt1.gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP t19si1302495wrb.232 - gsmtp
QUIT
221 2.0.0 closing connection t19si1302495wrb.232 - gsmtp
Connection closed by foreign host.
This is the container's iptables config:
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT
# Mail SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -d 192.168.121.1 --dport 25 -j ACCEPT
# POP3
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# SMTPS
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
# IMAPS
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
# IMAPS - 2
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
COMMIT
I am not familiar with containers' networking, so I might very well missing anything obvious!
It does not look to be a problem with Postfix config..
Thanks for any help,
Aldo

As it often happens (once you know the solution) the problem was trivial...
In short: a wrong NAT setting in the host was intercepting and forwarding traffic from all sources, CONTAINERS INCLUDED!!
This is the relevant part of the HOST'S iptables rules as it was:
*nat
:PREROUTING ACCEPT [22532:1479233]
:INPUT ACCEPT [22432:1472721]
:OUTPUT ACCEPT [11623:812922]
:POSTROUTING ACCEPT [2959:155572]
-A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.121.174:25
-A PREROUTING -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.121.174:110
-A PREROUTING -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.121.174:143
-A PREROUTING -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.121.174:465
-A PREROUTING -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.121.174:587
-A PREROUTING -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.121.174:993
-A PREROUTING -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.121.174:995
-A POSTROUTING -o br0 -j MASQUERADE
-A POSTROUTING -s 192.168.121.0/24 ! -o natbr0 -j MASQUERADE
COMMIT
It tells iptables to pass all traffic say to port 25 to the virtual address of the mail server container.
This happens even for traffic from the container itself.
BINGO!!
Now this is the correct setting, where br0 is the AWS network interface that links to the outside world.
So, only packets arriving there first, should be routed to the NATted virtual address of the email server package.
*nat
:PREROUTING ACCEPT [22532:1479233]
:INPUT ACCEPT [22432:1472721]
:OUTPUT ACCEPT [11623:812922]
:POSTROUTING ACCEPT [2959:155572]
-A PREROUTING -p tcp -m tcp --in-interface br0 --dport 25 -j DNAT --to-destination 192.168.121.174:25
-A PREROUTING -p tcp -m tcp --in-interface br0 --dport 110 -j DNAT --to-destination 192.168.121.174:110
-A PREROUTING -p tcp -m tcp --in-interface br0 --dport 143 -j DNAT --to-destination 192.168.121.174:143
-A PREROUTING -p tcp -m tcp --in-interface br0 --dport 465 -j DNAT --to-destination 192.168.121.174:465
-A PREROUTING -p tcp -m tcp --in-interface br0 --dport 587 -j DNAT --to-destination 192.168.121.174:587
-A PREROUTING -p tcp -m tcp --in-interface br0 --dport 993 -j DNAT --to-destination 192.168.121.174:993
-A PREROUTING -p tcp -m tcp --in-interface br0 --dport 995 -j DNAT --to-destination 192.168.121.174:995
-A POSTROUTING -o br0 -j MASQUERADE
-A POSTROUTING -s 192.168.121.0/24 ! -o natbr0 -j MASQUERADE
COMMIT
Obviously without the interception loop the email server inside the container easily sends mail out!!

How to get the from..to offset from tcpdump output to use with iptables string match module

I'm trying to get the 'from' and 'to' offset to use in my iptables rule with the string match module. Here is my output packet from the tcpdump tool:
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:49:49.631211 IP xxx.xxx.xxx.xxx.57625 > xxx.xxx.xxx.xxx.13333: Flags [S], seq 1036987151, win 29200, options [mss 1460,sackOK,TS val 770422252 ecr 0,nop,wscale 7], length 0
0x0000: 4514 003c 9ee3 4000 3a06 9772 bca5 2e4d E..<..#.:..r...M
0x0010: b009 6f56 e119 2f4f 3dcf 2b0f 0000 0000 ..oV../O=.+.....
0x0020: a002 7210 6e7e 0000 0204 05b4 0402 080a ..r.n~..........
0x0030: 2deb b5ec 0000 0000 0103 0307 -...........
The hex units i'm looking for their start-end position are :
bca5 2e4d b009 6f56
My aim is to get this iptables rule to work properly:
iptables -A INPUT -p tcp --dport 13333 -m string --from xx --to yy --algo bm --hex-string "|bca52e4db0096f56|" -j DROP
By the way my rule is already working fine without using the from-to offset.
Any help will be appreciated.
Best regards.

To answer your original question, you may use :
iptables -A INPUT -p tcp --dport 13333 -m string --from 12 --to 20 --algo bm --hex-string "|bca52e4db0096f56|" -j DROP
But, there is more to get the final answer as you want to improve the efficiency of iptables by adding these two options.
What I found is a little disappointing, it seems that --to option doesn't work.
I paste the original related content of man iptables in CentOS release 6.5 (Final):
--from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
As you see, the description of option --to is wrong, so is the result of my experiment use --to option. However, --from option works fine as the description.
The final answer is that the part of the bad packet represents src ip and dest ip of ip protocol, so you may use (I don't use the ip in your packet content in your question for your privacy issue, but the ip is already exposed, so maybe you can change your question) :
iptables -A INPUT -p tcp --dport 13333 -s xx.xx.xx.xx -d xx.xx.xx.xx -j DROP
Update, use module u32:
iptables -A INPUT -p tcp --dport 13333 -m u32 --u32 "12=0xbca52e4d && 16=0xb0096f56" -j DROP

iptables:How to configure PREROUTE rule allowing port redirection from deducated IP addresses?

I have the following rule in my iptables that redirects port 5060 to 5065.
-A PREROUTING -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I 'd like to apply this rule for several external IPs only, e.g. for example, to 123.123.123.123 and 124.124.124.124 only.
I added the following rule instead of above:
-A PREROUTING -s 123.123.123.123 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
But then when I tried to add the next rule:
-A PREROUTING -s 124.124.124.124 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I got the following message:
iptables: No chain/target/match by that name
How to put these rules properly?
Thank you in advance,

For preprouting and postrouting you have t specify that you are working on the NAT chain.
ie :
iptables -t nat -A PREROUTING -s 124.124.124.124 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065

Squid 2.6 and https_port

I have a question about Squid configuration as trasparent proxy using SSL.
I would to use Squid 2.6 as trasparent proxy with http and https connection.
I followed this steps:
1) I configurated my iptables:
# Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10363:2864591]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Nov 9 13:37:50 2011
# Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
*nat
:PREROUTING ACCEPT [4:650]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
COMMIT
2) I configurated my squid.conf about http_port and it work well.
3) About SSL I setted this:
https_port 3129 transparent key=/etc/squid/ssl/myhost.com-private.pem
cert=/etc/squid/ssl/myhost.com-certificate.pem
but about https not work.
If I use this command lsof -n -i -P | grep squid
about the squid I see also:
squid 6483 squid 6u IPv4 155998 0t0 UDP *:43053
squid 6483 squid 13u IPv4 156001 0t0 TCP *:3128 (LISTEN)
squid 6483 squid 14u IPv4 156003 0t0 UDP *:3130
and I not see 3129 port. Is correct this way?
Any suggestions?