Re: iptables port forwarding
> > I'd like to know whether it is possible to do this kind of thing with
> > iptables. I'd like to configure my firewall/router so that all the packets
> > to the port 80 from the Internet (from specific addresses) are forwarded
> > automatically to the ssh-port on another host on the Internet (not on my
> > home lan).
>
> No, not that easily. NAT cannot solve this problem; you'll need a proxy
> of some sort. The reason is that the return packets from the actual
> destination host would never be un-NAT-ed; you'd get something like
> this:
>
> B => SYN => A
> A* => SYN => C * A forwards the packet with the source address as B
> C => SYN/ACK => B
> B => RST => C
>
> Where A is your firewall, C is the destination (the one running sshd)
> and B is the source. When C tries to reply to B, B ignores it and
> continues to wait for replies from A, which never come. The way it
> works when using DNAT to a host on your LAN (not elsewhere on the
> internet) is that C's return packet (the SYN/ACK above) passes back
> through A, who rewrites the source address to A, and C happily thinks
> it's communicating with A directly, with no knowledge that A is actually
> just forwarding and rewriting packets.
I have not tried yet, but I think it should be possible with iptables
and NAT. DNAT just as described above works well inside your LAN (with
private IP's) because then you have a MASQUERADING/SNATing router.
If you want it to work on the outside too, you'll have to apply some
SNAT rules on these packets too.
What happens is:
B opens a connection to A (connID1, B(highport)->A(80))
A itself opens a connection to C (connID2, A(highport)->C(destport))
All packets on connID1 get forwarded to connID2 and vice versa.
Thus results in B,C communicating with A, but answers and requests just
get forwarded.
Problem: You got lots of traffic on B.
Try it out and tell me if it worked.
Michael.
Reply to: