TransWikia.com

Redirecting Traffic to local mqtt server

Raspberry Pi Asked by Elior on October 11, 2020

I am really confuse about how to redirect.

I have 2 WLANs, one use to connect to the router(wln0) and one the I use as AP(wlan1).

My aim is to redirect traffic from one client connected to the AP that connecting to remote mqtt server to my local mqtt server.

I have tried those rules :

sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.4.7 --dport 49154 -j DNAT --to 192.168.0.10:8883

sudo iptables -A FORWARD -p tcp -d 192.168.4.7 --dport 49154 -j ACCEPT

but it dosen’t work, what I am doing wrong?

Update

More information about my setup:

wlan0 – connected to the internet ,

wlan1 – used as a AP,

client – connected to wlan1 =>internet => mqtt server (IBMcloud)

my goal is to redirect the traffic from the cloud to my local (192.168.0.10:8883) mqtt server

pi@raspberrypi:~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether dc:a6:32:29:ba:5f brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether dc:a6:32:29:ba:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.10/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0
       valid_lft 3019sec preferred_lft 2569sec
    inet6 fe80::f656:1efc:bea8:463a/64 scope link
       valid_lft forever preferred_lft forever
4: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0f:11:76:07:b5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.1/24 brd 192.168.4.255 scope global noprefixroute wlan1
       valid_lft forever preferred_lft forever
    inet6 fe80::bfbd:af2d:73eb:931a/64 scope link
       valid_lft forever preferred_lft forever


pi@raspberrypi:~ $ ip route
default via 192.168.0.1 dev wlan0 proto dhcp src 192.168.0.10 metric 303
192.168.0.0/24 dev wlan0 proto dhcp scope link src 192.168.0.10 metric 303
192.168.4.0/24 dev wlan1 proto dhcp scope link src 192.168.4.1 metric 304

pi@raspberrypi:~ $ sudo iptables --list --verbose
Chain INPUT (policy ACCEPT 1470K packets, 291M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 1482K packets, 1051M bytes)
 pkts bytes target     prot opt in     out     source               destination
 1606  101K ACCEPT     tcp  --  any    any     anywhere             MAS8710BNC353.wlan   state NEW,ESTABLISHED

Chain OUTPUT (policy ACCEPT 177K packets, 116M bytes)
 pkts bytes target     prot opt in     out     source               destination
pi@raspberrypi:~ $ sudo iptables --table nat --list --verbose
Chain PREROUTING (policy ACCEPT 30024 packets, 2951K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 23499 packets, 2242K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2323 packets, 174K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere
13213 1270K MASQUERADE  all  --  any    wlan0   anywhere             anywhere
    0     0 MASQUERADE  all  --  any    wlan0   anywhere             anywhere
    0     0            tcp  --  any    wlan1   MAS8710BNC353.wlan   192.168.0.10         tcp spts:0:60000 dpt:8883

Chain OUTPUT (policy ACCEPT 9466 packets, 760K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:8883 to:192.168.0.10:1883

2 Answers

You only need one iptables rule. To have a clean starting point please completely flush your iptables with:

rpi ~$ sudo -Es
rpi ~# iptables --policy INPUT ACCEPT
rpi ~# iptables --policy FORWARD ACCEPT
rpi ~# iptables --policy OUTPUT ACCEPT
rpi ~# iptables --table nat --flush
rpi ~# iptables --table mangle --flush
rpi ~# iptables --table raw --flush
rpi ~# iptables --flush
rpi ~# iptables --delete-chain
rpi ~# exit
rpi ~$

Then we need the port where the remote mqtt server (IBMcloud) is listening. I can't find it in your question. For this example I will use the port 12345. This is the destination port that any client, connected to access point, will use to connect to the mqtt server. Now use this rule:

rpi ~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 12345 -j DNAT --to-destination 192.168.0.10:8883

This should work if your local mqtt server is also running on the RasPi. If it is running on another local server then it should be needed to have a masquerading (but haven't tested it):

rpi ~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE

We have a Destination Net Address Translation (DNAT). That means only the destination ip address of the ip package is changed. So your local mqtt server sees inbound ip packages coming from 192.168.4.7 to 192.168.0.10:8883. So it will response to 192.168.4.7. This is not a problem on a local network in particular if the mqtt server is running on the RasPi, which is also the router and knows where to send the responses. I have tested it with ssh (don't have a mqtt server) and haven't needed a POSTROUTING rule.


References:

Answered by Ingo on October 11, 2020

The FORWARD rule is passing packages to the destination, but the packages returning to the source is probably dropped. You should post the complete listing of the rules to make a more precise answer.

So the rule:

sudo iptables -A FORWARD -p tcp -d 192.168.4.7 --dport 49154 -j ACCEPT

Should have these as well

-m state --state NEW,ESTABLISHED

So the complete rule is:

sudo iptables -A FORWARD -p tcp -d 192.168.4.7 --dport 49154 -m state --state NEW,ESTABLISHED -j ACCEPT

Answered by Mats Karlsson on October 11, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP