Re: iptables port forwarding
On Thu, 14 Nov 2002, Vineet Kumar wrote:
> * Siraj 'Sid' Rakhada (email@example.com) [021114 08:08]:
> > I connect to port 443 on my firewall, and that then forwards the
> > connection onto another host:port, at the same time rewriting the
> > headers, and doing connection tracking (a form of NAT...).
> > As far as the host that actually deals with the data, it only sees my
> > firewall connecting to it. Not the host that connects to port 443 on
> > the firewall.
> I don't believe this. Well, I should qualify that: I don't believe that
> the single DNAT rule you gave would cause this effect. You must also
> have some SNAT going on as well, or your firewall shouldn't be rewriting
> the source address. Maybe your upstream is doing some kind of rewriting
> to keep you from sending out spoofed packets, so it changes the source
> to your address?
> good times,
Well the rules Sid posted here worked fine and the system is now up and
running. The only problem was that I needed to add few rules to the
forward-chain to allow those packets to go forward.
I have two rules for those but perhaps they could be combined into one
rule. The rules I use are below splitted into several lines to make them
# add port forwarding for SSH (local port 443 -> somehost:22)
$IPTABLES -t nat -A PREROUTING -i eth0 -p TCP -s $IP_SOURCE \
-d $MY_IP --dport 443 -j DNAT --to $IP_TARGET:22
$IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -p TCP -d $IP_TARGET \
--dport 22 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -p TCP -s $IP_TARGET \
--sport 22 -j ACCEPT
Now that I read again the firewall script I noticed that there is this
rule there also. This was added when I implemented NAT for my home-lan
purposes (I have no idea what it does - it was copied from someone elses
firewall rules). Maybe this is what Vineet was referring in his post.
# Enable SNAT (MASQUERADE) functionality on $EXTIF
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE