--On Thursday, November 14, 2002 08:17:45 +0100 Michael Kreilmeier <michi@kreilmeier.at> wrote:
> I'd like to know whether it is possible to do this kind of thing > with iptables. I'd like to configure my firewall/router so that > all the packets to the port 80 from the Internet (from specific > addresses) are forwarded automatically to the ssh-port on another > host on the Internet (not on my home lan). No, not that easily. NAT cannot solve this problem; you'll need a proxy of some sort. The reason is that the return packets from the actual destination host would never be un-NAT-ed; you'd get something like this:
[snip]
What happens is: B opens a connection to A (connID1, B(highport)->A(80)) A itself opens a connection to C (connID2, A(highport)->C(destport)) All packets on connID1 get forwarded to connID2 and vice versa. Thus results in B,C communicating with A, but answers and requests just get forwarded. Problem: You got lots of traffic on B. Try it out and tell me if it worked.
Is this the same issue that I gave a tiny rule for? If so, I believe it does work, as I use it pretty much every day to tunnel stuff :)
I connect to port 443 on my firewall, and that then forwards the connection onto another host:port, at the same time rewriting the headers, and doing connection tracking (a form of NAT...).
As far as the host that actually deals with the data, it only sees my firewall connecting to it. Not the host that connects to port 443 on the firewall.
Regards, Sid