Re: iptables - dynamic ip - port forward ssh to internal box

To: debian-firewall@lists.debian.org
Subject: Re: iptables - dynamic ip - port forward ssh to internal box
From: Jason McCarty <bclg@iup.edu>
Date: Thu, 1 May 2003 14:26:26 -0400
Message-id: <[🔎] 20030501182626.GA943@iup.edu>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20030501163747.66783.qmail@web13501.mail.yahoo.com>
References: <[🔎] 20030501121046.GA3178@iup.edu> <[🔎] 20030501163747.66783.qmail@web13501.mail.yahoo.com>

Paul wrote:
[...]
> Now my forward cmd i have is just
> 
> iptables -A FORWARD -p tcp --dport 22 -j ACCEPT  and
> it works fine, now any reason as to why you suggest to
> make it
> 
> $IPTABLES -A FORWARD -i $EXTDEV -o $INTDEV -d
> 192.168.1.8 --dport 22 -j ACCEPT
> 
> is it for security reasons or some other thing?

Yes, pretty much security. If the external network had stuffed routing,
it might be possible to convince your router to pass along port 22
packets to some other internal machine. Although with your setup, the -i
and -o might be redundant. I would keep the -d switch though.

> Also how would i go by to make it so it would also
> work from the internal network, because i do plan on
> getting a web server running as well which would just
> be  
> 
> iptables -t nat -A PREROUTING -p tcp -d $EXTIP --dport
> 80 -j DNAT --to 192.168.1.8:80
> iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
> 
> But i would like it so i could view the website
> internally as well, and not quite sure how to go about
> that, because i know its just prerouting stuff from
> the external network, not internal one

I'm not sure what you mean here. Do you want to visit http://$EXTIP from
within the LAN and have packets end up at 192.168.1.8? This causes some
problems if you try, because the packet gets to the internal web server
just fine, but when it responds, it wants to reply directly to the client
which will discard it as an unsolicited packet. I'll try to illustrate:
  client's request:  client -> firewall (translate address) -> server
  server's response: server -> client (address doesn't get translated)

There are a couple nicer ways to do this: you could just view the site
as its own address internally, you could use a web proxy (transparent or
otherwise) on the firewall, or you could play with DNS to give different
ip addresses for the web server depending on who's requesting it. An
even uglier way to do it would be to take away the web server's LAN
route, so it only sent packets to the firewall :)

Of course, I haven't dealt with this myself, so there are probably other
solutions I don't know about.

Jason

Reply to:

References:
- Re: iptables - dynamic ip - port forward ssh to internal box
  - From: Jason McCarty <bclg@iup.edu>
- Re: iptables - dynamic ip - port forward ssh to internal box
  - From: Paul <gabaod@yahoo.com>

Prev by Date: Re: iptables - dynamic ip - port forward ssh to internal box
Next by Date: new to iptables
Previous by thread: Re: iptables - dynamic ip - port forward ssh to internal box
Next by thread: new to iptables
Index(es):
- Date
- Thread