[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables port forwarding

On Thu, 14 Nov 2002, Vineet Kumar wrote:

> * Siraj 'Sid' Rakhada (sid@mindless.co.uk) [021114 08:08]:
> > I connect to port 443 on my firewall, and that then forwards the
> > connection onto another host:port, at the same time rewriting the
> > headers, and doing connection tracking (a form of NAT...).
> >
> > As far as the host that actually deals with the data, it only sees my
> > firewall connecting to it. Not the host that connects to port 443 on
> > the firewall.
> I don't believe this.  Well, I should qualify that: I don't believe that
> the single DNAT rule you gave would cause this effect.  You must also
> have some SNAT going on as well, or your firewall shouldn't be rewriting
> the source address.  Maybe your upstream is doing some kind of rewriting
> to keep you from sending out spoofed packets, so it changes the source
> to your address?
> good times,
> Vineet

Well the rules Sid posted here worked fine and the system is now up and
running. The only problem was that I needed to add few rules to the
forward-chain to allow those packets to go forward.

I have two rules for those but perhaps they could be combined into one
rule. The rules I use are below splitted into several lines to make them
more readable.

# add port forwarding for SSH (local port 443 -> somehost:22)
$IPTABLES -t nat -A PREROUTING -i eth0 -p TCP -s $IP_SOURCE \
    -d $MY_IP --dport 443 -j DNAT --to $IP_TARGET:22

    --dport 22 -j ACCEPT
    --sport 22 -j ACCEPT

Now that I read again the firewall script I noticed that there is this
rule there also. This was added when I implemented NAT for my home-lan
purposes (I have no idea what it does - it was copied from someone elses
firewall rules). Maybe this is what Vineet was referring in his post.

# Enable SNAT (MASQUERADE) functionality on $EXTIF

Vesa Salento

Reply to: