Re: iptables equivalent of ssh local port forward.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: ML netfilter <netfilter@vger.kernel.org>
Subject: Re: iptables equivalent of ssh local port forward.
Date: Fri, 04 Apr 2008 21:12:15 -0300	[thread overview]
Message-ID: <47F6C3DF.2040805@solutti.com.br> (raw)
In-Reply-To: <alpine.LNX.1.10.0804050205390.26881@fbirervta.pbzchgretzou.qr>



Jan Engelhardt escreveu:
>
> On Saturday 2008-04-05 01:35, Joel Pearson wrote:
>>
>> I can get iptables forwarding to work fine if the source address is
>> from the internet, well a different interface anyway.  Using a DNAT
>> works fine in these circumstances.  But a DNAT doesn't work to forward
>> within the same subnet/interface it seems.
>>
>> Can someone point me in the right direction?
>
> http://jengelh.hopto.org/images/dnat-mistake.png
>

    graph shows clearly the problem, but doesnt gives the solution.

    the host with DNAT rule, when forwarding to a source machine on the 
same subnet of the DNATted machine, should do a SNAT too. DNAT redirects 
the packet, SNAT changes the source address to the host with DNAT rule 
address. So, replies will go to the host with DNAT rule and everything 
will work.

    The big problem of this setup is that the DNATted machine will loose 
capacity of logging original source address, because it was SNATted.

    On these situations, you could think on a DNS setup with views and 
replying with internal address for your internal network, avoiding the 
use of this setup, altough it works completly fine.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

next prev parent reply	other threads:[~2008-04-05  0:12 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-04 23:35 iptables equivalent of ssh local port forward Joel Pearson
2008-04-05  0:06 ` Jan Engelhardt
2008-04-05  0:09   ` Jan Engelhardt
2008-04-05  2:04     ` Joel Pearson
2008-04-05  0:12   ` Leonardo Rodrigues Magalhães [this message]
2008-04-05  1:08     ` Jan Engelhardt
2008-04-05  2:16     ` Joel Pearson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47F6C3DF.2040805@solutti.com.br \
    --to=leolistas@solutti.com.br \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.