From: Arthur Kerpician <arthur@bluechip.ro>
To: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: selective port forwarding
Date: Thu, 10 Jun 2004 00:59:02 +0300 [thread overview]
Message-ID: <40C78826.2010402@bluechip.ro> (raw)
In-Reply-To: <1086816900.2939.7.camel@localhost>
John A. Sullivan III wrote:
>On Wed, 2004-06-09 at 15:48, Arthur Kerpician wrote:
>
>
>>Hi,
>>I have this very simple network layout:
>>1. Firewall server (host1.domain.com) with eth1 (external static IP) and
>>eth0 (internal IP)
>>2. The firewall server do masquerading for LAN
>>3. Other server (host2) on LAN with eth0 (internal IP)
>>So, the only external IP is on the host1.domain.com.
>>I want to forward some of the ssh traffic to host2, based on the hostname.
>>eg:
>>when trying to ssh to host1.domain.com the firewall server (host1) will
>>reply and
>>when trying to ssh to host2.domain.com the firewall server will forward
>>the traffic to host2 inside the LAN
>>
>>I know that what I'm looking for has to do with DNAT, but I really
>>don't know where to start. The DNS is configured to map host1.domain.com
>>and host2.domain.com to the same external IP on host1.
>>
>>Thanks,
>>Arthur
>>
>>
>If I understand you correctly, you want to access both devices from the
>Internet. You wish to ssh host1.domain.com from the Internet and have
>the packets arrive at host and ssh host2.domain.com from the Internet
>and have host1 forward them to host2. Both host1 and host2 resolve to
>the same public IP, let's call it x.x.x.x.
>
>If this is correct, you have a problem. iptables will resolve the names
>when it loads but thereafter will use the IP address. So, in effect,
>your rules will look something like:
>
>-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST2_INT_IP
>-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP
>
>Notice how the matches are identical; there is no way to distinguish the
>traffic coming to the public address of host1 from the traffic coming to
>the public address of host2. The rule that comes first will be the one
>that is always matched.
>
>You could try using a non-standard port for SSH for one of the devices
>and then map it back to SSH on the other, e.g.,
>-d x.x.x.x -p 6 --dport 22222 -j DNAT --to-destination $HOST2_INT_IP:22
>-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP
>
>
>
Using diferent ports should do it, thanks a lot.
prev parent reply other threads:[~2004-06-09 21:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-09 19:48 selective port forwarding Arthur Kerpician
2004-06-09 21:35 ` John A. Sullivan III
2004-06-09 21:59 ` Arthur Kerpician [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40C78826.2010402@bluechip.ro \
--to=arthur@bluechip.ro \
--cc=john.sullivan@nexusmgmt.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.