[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables port forwarding

> > I'd like to know whether it is possible to do this kind of thing with
> > iptables. I'd like to configure my firewall/router so that all the packets
> > to the port 80 from the Internet (from specific addresses) are forwarded
> > automatically to the ssh-port on another host on the Internet (not on my
> > home lan).
> No, not that easily.  NAT cannot solve this problem; you'll need a proxy
> of some sort.  The reason is that the return packets from the actual
> destination host would never be un-NAT-ed; you'd get something like
> this:
> B  => SYN => A
> A* => SYN => C  * A forwards the packet with the source address as B
> C  => SYN/ACK => B
> B  => RST => C
> Where A is your firewall, C is the destination (the one running sshd)
> and B is the source.  When C tries to reply to B, B ignores it and
> continues to wait for replies from A, which never come.  The way it
> works when using DNAT to a host on your LAN (not elsewhere on the
> internet) is that C's return packet (the SYN/ACK above) passes back
> through A, who rewrites the source address to A, and C happily thinks
> it's communicating with A directly, with no knowledge that A is actually
> just forwarding and rewriting packets.

I have not tried yet, but I think it should be possible with iptables
and NAT. DNAT just as described above works well inside your LAN (with
private IP's) because then you have a MASQUERADING/SNATing router.
If you want it to work on the outside too, you'll have to apply some
SNAT rules on these packets too.

What happens is:
B opens a connection to A (connID1, B(highport)->A(80))
A itself opens a connection to C (connID2, A(highport)->C(destport))
All packets on connID1 get forwarded to connID2 and vice versa.
Thus results in B,C communicating with A, but answers and requests just
get forwarded.

Problem: You got lots of traffic on B.

Try it out and tell me if it worked.


Reply to: