From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Arthur Kerpician <arthur@bluechip.ro>
Cc: netfilter@lists.netfilter.org
Subject: Re: selective port forwarding
Date: Wed, 09 Jun 2004 17:35:01 -0400 [thread overview]
Message-ID: <1086816900.2939.7.camel@localhost> (raw)
In-Reply-To: <40C7699E.7060806@bluechip.ro>
On Wed, 2004-06-09 at 15:48, Arthur Kerpician wrote:
> Hi,
> I have this very simple network layout:
> 1. Firewall server (host1.domain.com) with eth1 (external static IP) and
> eth0 (internal IP)
> 2. The firewall server do masquerading for LAN
> 3. Other server (host2) on LAN with eth0 (internal IP)
> So, the only external IP is on the host1.domain.com.
> I want to forward some of the ssh traffic to host2, based on the hostname.
> eg:
> when trying to ssh to host1.domain.com the firewall server (host1) will
> reply and
> when trying to ssh to host2.domain.com the firewall server will forward
> the traffic to host2 inside the LAN
>
> I know that what I'm looking for has to do with DNAT, but I really
> don't know where to start. The DNS is configured to map host1.domain.com
> and host2.domain.com to the same external IP on host1.
>
> Thanks,
> Arthur
If I understand you correctly, you want to access both devices from the
Internet. You wish to ssh host1.domain.com from the Internet and have
the packets arrive at host and ssh host2.domain.com from the Internet
and have host1 forward them to host2. Both host1 and host2 resolve to
the same public IP, let's call it x.x.x.x.
If this is correct, you have a problem. iptables will resolve the names
when it loads but thereafter will use the IP address. So, in effect,
your rules will look something like:
-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST2_INT_IP
-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP
Notice how the matches are identical; there is no way to distinguish the
traffic coming to the public address of host1 from the traffic coming to
the public address of host2. The rule that comes first will be the one
that is always matched.
You could try using a non-standard port for SSH for one of the devices
and then map it back to SSH on the other, e.g.,
-d x.x.x.x -p 6 --dport 22222 -j DNAT --to-destination $HOST2_INT_IP:22
-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-06-09 21:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-09 19:48 selective port forwarding Arthur Kerpician
2004-06-09 21:35 ` John A. Sullivan III [this message]
2004-06-09 21:59 ` Arthur Kerpician
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1086816900.2939.7.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=arthur@bluechip.ro \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.