[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Simple IP-Forwarding problem

Leonardo Boselli wrote:
> Il 13 Jul 2005 alle 15:20 Marc Mueller immise in rete
>>Hi Leonardo,
>>I have no administrative access rights on the three servers outside to
>>change any network settings.  :-( I can only modify the firewall-rules
>>on the server in the middle.
> IF the three proivate hosts does not point as default gateway to the host 
> in the middle all you can do is the ssh tunnel ....

Not really true ;). Sorry, I haven't followed whole discussion to
closely, so maybe someone has given similiar suggestions. There are at
least two more options:

1. Using iptables - DNAT to redirect local ports to remote ones and SNAT
to guarantee proper replied packets' routing and to foul destination
server ip validation, like:

iptables -A POSTROUTING -o $OUT_IFACE -d $TARGET_HOST_IP -p tcp \
   --destination-port 22 -j SNAT --to-source $MIDSERVER_IP
iptables -A PREROUTING -i $IN_IFACE -d $MIDSERVER_IP -p tcp \
   --destination-port $SERVER1_PORT \
   -j DNAT --to-destination $DESTINATION_IP:22

If server in the middle sees both - destination servers and clients -
through the same network interface you probably also need to set:
echo 0 >/proc/sys/net/ipv4/conf/$IFACE/send_redirects

Ah - and you should use some ports outside of
/proc/sys/net/ipv4/ip_local_port_range or change that range accordingly
as I suspect that ports used for DNAT rules aren't automatically marked
as 'in use' (just guessing, so maybe I'm wrong).

2. Using rinetd or similiar tool you can do port forwarding without the
need of ssh tunnelling overhead nor playing with firewall rules and
kernel variables (except maybe for opening selected ports). It's
userspace so probably somewhat slower, but I don't think it will be
noticeable unless 'in the middle' server is heavily overloaded.

  Robert Tasarz

Reply to: