DNAT w ssh tunnel

DNAT w ssh tunnel

[eth]

Hi listers.

I try to make a simple tunnel for a jdbc connection with port forward from one machine to another via a firewall.

|client| --Inet--> |firewall| --LAN--> |database|

The client runs a ssh client with port forwarding to the firewall machine. On the fw I have the "simpleproxy" which is a tcp proxy that forwards all local sockets to a remote host. Yet I thought I should do a:

iptables -t nat -A OUTPUT -d 194.226.254.1 -p tcp -m tcp --dport 1521 -j DNAT --to-destination 192.168.10.100:1521

... which should do the fw->database port forward trick; it doesn't. :-|

Dumping, it looks like packets leave from 192.168.10.1 (which is internal eth firewall) to 192.168.10.100 (which is the database server) , the server says SYN ACK and then the firewall sends a RST !! Why? Isn't DNAT supposed to keep track of all connection even those DNATed? What am I missing? The linux part is a RH 7.3 with a 2.4.18 from kernel.org.

Re: DNAT w ssh tunnel

[Karl Fischer]

eth wrote:
> 
> Hi listers.
> 
> I try to make a simple tunnel for a jdbc connection with port forward from
> one machine to another via a firewall.
> 
> |client| --Inet--> |firewall| --LAN--> |database|
> 
> The client runs a ssh client with port forwarding to the firewall machine.
> On the fw I have the "simpleproxy" which is a tcp proxy that forwards all
> local sockets to a remote host. Yet I thought I should do a:
> 
> iptables -t nat -A OUTPUT -d 194.226.254.1 -p tcp -m tcp --dport 1521 -j
> DNAT --to-destination 192.168.10.100:1521
> 
> ... which should do the fw->database port forward trick; it doesn't. :-|

Hi, 

you don't even need to use netfilter's port-forwarding and also no
simpleproxy. SSH does all the job on it's own and most secure too ...

on the client you use:

ssh -L 1521:192.168.10.100:1521 user@firewall

then your database frontend on the client should be able to connect to
the database using the localhost interface 127.0.0.1:1521 - that's it.

Regards
- Karl