Whether you are at work, at the coffee shop or on the public internet here are some basic but effective rules for iptables that lock things down (eg. no one can SMB or SSH to you or really anything):
# Generated by iptables-save v1.4.21 on Fri Dec 14 14:00:08 2018
*nat
:PREROUTING ACCEPT [160:19844]
:INPUT ACCEPT [4:357]
:OUTPUT ACCEPT [2955:182236]
:POSTROUTING ACCEPT [2955:182236]
COMMIT
# Completed on Fri Dec 14........
iptables -t NAT -A PREROUTING -s 24.30.44.0/24 -j DNAT --to-destination 10.10.10.1
iptables v1.4.7: can't initialize iptables table `NAT': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Solution
# it is case sensitive "nat" and DO NOT use "NAT" or you will get this error!
iptables -t nat -A PREROUTING -s 24.30.44.0/24 -j DNAT --to-destination 10.10.10.1........
This error is commonly due to Java security or TLS settings but there is a second issue with forwarded ports that also causes it.
1. Java Security/TLS Settings issue:
This article has the solution to change them all in Linux automatically
2. Port Forwarding Issue if your Avocent DSR is behind NAT/private IP........
iptables -t nat -A OUTPUT -m addrtype --src-type LOCAL --dst-type LOCAL -p tcp --dport 3306 -j DNAT --to-destination ip.ip.ip.ip
iptables -t nat -A POSTROUTING -m addrtype --src-type LOCAL --dst-type UNICAST -j MASQUERADE
sysctl -w net.ipv4.conf.all.route_localnet=1
Make sure you substitute "ip.ip.ip.ip" for your real public IP and also the "--dport 3306" for the port you want to forward.
Finally run the sysctl command and........
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443,2068,8192 -j DNAT --to-destination 192.168.1.175
Just adjust the "--dports" to the ports you need and the --to-destination to the destination IP (note it must be on the same network as the server running iptables........
iptables -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1/32 --dport 3389 -j DNAT --to-destination 192.168.5.2:3389
iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
The above is often because you don't have the correct modules loaded on the hostnode or enabled for the container but in some cases it's actually a weird openvz setting.
Che........
-A PREROUTING -d 98.98.98.5/32 -p tcp -m tcp --dport 1050 -j DNAT --to-destination 192.168.1.50:3389
The above forwards port 1050 on IP98.98.98.5 to 192.168.1.50 port 3389 (you can obviously edit things to meet your needs).........
This is important if you need public access to internal IPs such as at your office and don't want to use a VPN just to SSHinto different servers:
Below forwards the port "10001" to the IP192.200.5.53 on port 22 (of course adjust it to your needs).
iptables -t nat -A PREROUTING -p tcp --dport 10001 -j DNAT --to-destination 192.200.5.53:22
Remember to enable MASQUERADE on your NAT IPs or they won't be able to talk to the outside world (........