selective port forwarding

selective port forwarding

[Arthur Kerpician]

Hi,
I have this very simple network layout:
1. Firewall server (host1.domain.com) with eth1 (external static IP) and 
eth0 (internal IP)
2. The firewall server do masquerading for LAN
3. Other server (host2) on LAN with eth0 (internal IP)
So, the only external IP is on the host1.domain.com.
I want to forward some of the ssh traffic to host2, based on the hostname.
eg:
when trying to ssh to host1.domain.com the firewall server (host1) will 
reply and
when trying to ssh to host2.domain.com the firewall server will forward 
the traffic to host2 inside the LAN

I  know that what I'm looking for has to do with DNAT, but I really 
don't know where to start. The DNS is configured to map host1.domain.com 
and host2.domain.com to the same external IP on host1.

Thanks,
Arthur

Re: selective port forwarding

[John A. Sullivan III]

On Wed, 2004-06-09 at 15:48, Arthur Kerpician wrote:
> Hi,
> I have this very simple network layout:
> 1. Firewall server (host1.domain.com) with eth1 (external static IP) and 
> eth0 (internal IP)
> 2. The firewall server do masquerading for LAN
> 3. Other server (host2) on LAN with eth0 (internal IP)
> So, the only external IP is on the host1.domain.com.
> I want to forward some of the ssh traffic to host2, based on the hostname.
> eg:
> when trying to ssh to host1.domain.com the firewall server (host1) will 
> reply and
> when trying to ssh to host2.domain.com the firewall server will forward 
> the traffic to host2 inside the LAN
> 
> I  know that what I'm looking for has to do with DNAT, but I really 
> don't know where to start. The DNS is configured to map host1.domain.com 
> and host2.domain.com to the same external IP on host1.
> 
> Thanks,
> Arthur
If I understand you correctly, you want to access both devices from the
Internet.  You wish to ssh host1.domain.com from the Internet and have
the packets arrive at host and ssh host2.domain.com from the Internet
and have host1 forward them to host2.  Both host1 and host2 resolve to
the same public IP, let's call it x.x.x.x.

If this is correct, you have a problem.  iptables will resolve the names
when it loads but thereafter will use the IP address.  So, in effect,
your rules will look something like:

-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST2_INT_IP
-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP

Notice how the matches are identical; there is no way to distinguish the
traffic coming to the public address of host1 from the traffic coming to
the public address of host2.  The rule that comes first will be the one
that is always matched.

You could try using a non-standard port for SSH for one of the devices
and then map it back to SSH on the other, e.g., 
-d x.x.x.x -p 6 --dport 22222 -j DNAT --to-destination $HOST2_INT_IP:22
-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP

-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: selective port forwarding

[Arthur Kerpician]

John A. Sullivan III wrote:

>On Wed, 2004-06-09 at 15:48, Arthur Kerpician wrote:
>  
>
>>Hi,
>>I have this very simple network layout:
>>1. Firewall server (host1.domain.com) with eth1 (external static IP) and 
>>eth0 (internal IP)
>>2. The firewall server do masquerading for LAN
>>3. Other server (host2) on LAN with eth0 (internal IP)
>>So, the only external IP is on the host1.domain.com.
>>I want to forward some of the ssh traffic to host2, based on the hostname.
>>eg:
>>when trying to ssh to host1.domain.com the firewall server (host1) will 
>>reply and
>>when trying to ssh to host2.domain.com the firewall server will forward 
>>the traffic to host2 inside the LAN
>>
>>I  know that what I'm looking for has to do with DNAT, but I really 
>>don't know where to start. The DNS is configured to map host1.domain.com 
>>and host2.domain.com to the same external IP on host1.
>>
>>Thanks,
>>Arthur
>>    
>>
>If I understand you correctly, you want to access both devices from the
>Internet.  You wish to ssh host1.domain.com from the Internet and have
>the packets arrive at host and ssh host2.domain.com from the Internet
>and have host1 forward them to host2.  Both host1 and host2 resolve to
>the same public IP, let's call it x.x.x.x.
>
>If this is correct, you have a problem.  iptables will resolve the names
>when it loads but thereafter will use the IP address.  So, in effect,
>your rules will look something like:
>
>-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST2_INT_IP
>-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP
>
>Notice how the matches are identical; there is no way to distinguish the
>traffic coming to the public address of host1 from the traffic coming to
>the public address of host2.  The rule that comes first will be the one
>that is always matched.
>
>You could try using a non-standard port for SSH for one of the devices
>and then map it back to SSH on the other, e.g., 
>-d x.x.x.x -p 6 --dport 22222 -j DNAT --to-destination $HOST2_INT_IP:22
>-d x.x.x.x -p 6 --dport 22 -j DNAT --to-destination $HOST1_INT_IP
>
>  
>
Using diferent ports should do it, thanks a lot.