[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables port forwarding

--On 11 November 2002 16:13 +0200 Vesa Salento <vsalento@cc.hut.fi> wrote:


I'd like to know whether it is possible to do this kind of thing with
iptables. I'd like to configure my firewall/router so that all the packets
to the port 80 from the Internet (from specific addresses) are forwarded
automatically to the ssh-port on another host on the Internet (not on my
home lan).

Yes, I use this functionality at the moment, port 443 forwarded to something else :)

This would be needed so that shell access would be possible even in an
environment where firewall blocks all the other ports than 80. I could
solve the problem by binding SSH to listen that port but I'd like to have
a solution where the packets wouldn't get past the firewall and no access
would be necessary to my Linux box.

Here is the rule you want, I believe:

iptables -t nat -A PREROUTING -i ethX -p tcp -d <your firewall ip> --dport 80 -j DNAT --to <actual server running ssh:22>

I live behind such a fascist firewall, but as I don't use port 443 on my home lan, I have redirected that host to elsewhere. It's probably better anyway, as some sites trap port 80 traffic and make it go via a web proxy (though the 443 solution is not immune either).

I already have NAT working for my home LAN but I don't fully understand
how all those post/prerouting things work. And can I mangle packets and
then send them back to the same interface where they came from?

I think so, but I am not sure.



Reply to: