* Vesa Salento (vsalento@cc.hut.fi) [021111 06:14]: > Hi, > > I'd like to know whether it is possible to do this kind of thing with > iptables. I'd like to configure my firewall/router so that all the packets > to the port 80 from the Internet (from specific addresses) are forwarded > automatically to the ssh-port on another host on the Internet (not on my > home lan). No, not that easily. NAT cannot solve this problem; you'll need a proxy of some sort. The reason is that the return packets from the actual destination host would never be un-NAT-ed; you'd get something like this: B => SYN => A A* => SYN => C * A forwards the packet with the source address as B C => SYN/ACK => B B => RST => C Where A is your firewall, C is the destination (the one running sshd) and B is the source. When C tries to reply to B, B ignores it and continues to wait for replies from A, which never come. The way it works when using DNAT to a host on your LAN (not elsewhere on the internet) is that C's return packet (the SYN/ACK above) passes back through A, who rewrites the source address to A, and C happily thinks it's communicating with A directly, with no knowledge that A is actually just forwarding and rewriting packets. I have a feeling I didn't explain that too well; ask if it doesn't make any sense and I (or someone else) can try again. good times, Vineet -- http://www.doorstop.net/ -- "Extremism in the defense of liberty is no vice. Moderation in the pursuit of justice is no virtue." -- Barry Goldwater
Attachment:
pgp5Zh5JANbV6.pgp
Description: PGP signature