iptables equivalent of ssh local port forward.

iptables equivalent of ssh local port forward.

[Joel Pearson]

Hi,

What I'm trying to do seem simple, but I haven't managed to get it to work yet.

I can get ssh to do what I want, but it seems a little excessive.

This is my working ssh command:

ssh -f -N -g -L 143:192.168.1.4:143 root@192.168.1.4 (this is run from
192.168.1.3)

Basically I'm trying to forward imap from 192.168.1.3 to 192.168.1.4,
but for when I am connecting from the 192.168.1.x network.

I can get iptables forwarding to work fine if the source address is
from the internet, well a different interface anyway.  Using a DNAT
works fine in these circumstances.  But a DNAT doesn't work to forward
within the same subnet/interface it seems.

I'm sure this possible, but I can't figure out the correct rule.

So to be really clear I want to be able to connect to port 143 on
192.168.1.3 from 192.168.1.29 (for example) and have that request
forwarded to port 143 on 192.168.1.4

Can someone point me in the right direction?

Cheers,

-Joel

Re: iptables equivalent of ssh local port forward.

[Jan Engelhardt]

On Saturday 2008-04-05 01:35, Joel Pearson wrote:
>
> I can get iptables forwarding to work fine if the source address is
> from the internet, well a different interface anyway.  Using a DNAT
> works fine in these circumstances.  But a DNAT doesn't work to forward
> within the same subnet/interface it seems.
>
> Can someone point me in the right direction?

http://jengelh.hopto.org/images/dnat-mistake.png

-- 
make boldconfig -- to boldly select what no one has selected before

Re: iptables equivalent of ssh local port forward.

[Jan Engelhardt]

On Saturday 2008-04-05 02:06, Jan Engelhardt wrote:
> On Saturday 2008-04-05 01:35, Joel Pearson wrote:
>>
>>  I can get iptables forwarding to work fine if the source address is
>>  from the internet, well a different interface anyway.  Using a DNAT
>>  works fine in these circumstances.  But a DNAT doesn't work to forward
>>  within the same subnet/interface it seems.
>>
>>  Can someone point me in the right direction?
>
> http://jengelh.hopto.org/images/dnat-mistake.png

Adding an extra SNAT rule of course alleviates this problem,
at the cost of seeing 1.3.3.8 instead of 1.3.3.7 in the logs
of 1.3.3.9.

(-t nat -A POSTROUTING -d 1.3.3.9 -m conntrack --ctstate DNAT
-j SNAT --to 1.3.3.8)

Re: iptables equivalent of ssh local port forward.

[Joel Pearson]

On Sat, Apr 5, 2008 at 11:09 AM, Jan Engelhardt <jengelh@computergmbh.de> wrote:
>
>  On Saturday 2008-04-05 02:06, Jan Engelhardt wrote:
>
> > On Saturday 2008-04-05 01:35, Joel Pearson wrote:
> >
> > >
> > >  I can get iptables forwarding to work fine if the source address is
> > >  from the internet, well a different interface anyway.  Using a DNAT
> > >  works fine in these circumstances.  But a DNAT doesn't work to forward
> > >  within the same subnet/interface it seems.
> > >
> > >  Can someone point me in the right direction?
> > >
> >
> > http://jengelh.hopto.org/images/dnat-mistake.png
> >
>
>  Adding an extra SNAT rule of course alleviates this problem,
>  at the cost of seeing 1.3.3.8 instead of 1.3.3.7 in the logs
>  of 1.3.3.9.
>
>  (-t nat -A POSTROUTING -d 1.3.3.9 -m conntrack --ctstate DNAT
>  -j SNAT --to 1.3.3.8)
>

Thanks Jan, that SNAT rule worked great!

Re: iptables equivalent of ssh local port forward.

[Leonardo Rodrigues Magalhães]

Jan Engelhardt escreveu:
>
> On Saturday 2008-04-05 01:35, Joel Pearson wrote:
>>
>> I can get iptables forwarding to work fine if the source address is
>> from the internet, well a different interface anyway.  Using a DNAT
>> works fine in these circumstances.  But a DNAT doesn't work to forward
>> within the same subnet/interface it seems.
>>
>> Can someone point me in the right direction?
>
> http://jengelh.hopto.org/images/dnat-mistake.png
>

    graph shows clearly the problem, but doesnt gives the solution.

    the host with DNAT rule, when forwarding to a source machine on the 
same subnet of the DNATted machine, should do a SNAT too. DNAT redirects 
the packet, SNAT changes the source address to the host with DNAT rule 
address. So, replies will go to the host with DNAT rule and everything 
will work.

    The big problem of this setup is that the DNATted machine will loose 
capacity of logging original source address, because it was SNATted.

    On these situations, you could think on a DNS setup with views and 
replying with internal address for your internal network, avoiding the 
use of this setup, altough it works completly fine.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: iptables equivalent of ssh local port forward.

[Jan Engelhardt]

On Saturday 2008-04-05 02:12, Leonardo Rodrigues Magalhães wrote:
>
>   graph shows clearly the problem, but doesnt gives the solution.

Well, UNIX philosophy - one thing should do one thing :)

Solutions are either

- SNAT, in which case you won't have the original address, or

- making sure 1.3.3.9 sends the packets back to 1.3.3.8 first
   before they get back to 1.3.3.7, either by

   - adding explicit routing entries or

   - modifying the network/subnet layout in a fitting way

- directly connecting to 1.3.3.9 in the first place

Re: iptables equivalent of ssh local port forward.

[Joel Pearson]

On Sat, Apr 5, 2008 at 11:12 AM, Leonardo Rodrigues Magalhães
<leolistas@solutti.com.br> wrote:
>
>    graph shows clearly the problem, but doesnt gives the solution.
>
>    the host with DNAT rule, when forwarding to a source machine on the same
> subnet of the DNATted machine, should do a SNAT too. DNAT redirects the
> packet, SNAT changes the source address to the host with DNAT rule address.
> So, replies will go to the host with DNAT rule and everything will work.
>
>    The big problem of this setup is that the DNATted machine will loose
> capacity of logging original source address, because it was SNATted.
>
>    On these situations, you could think on a DNS setup with views and
> replying with internal address for your internal network, avoiding the use
> of this setup, altough it works completly fine.
>
>

Hi Leonardo,

I understand the implications of the SNAT problem with respects to
logging the incorrect source ip address.

The situation I have at the moment is that I am slowly migrating
everything from one server to another.
However there is one particular service (IMAP in this instance) which
needs to be used from inside the network and outside the network with
the same domain name.
I actually have the DNS setup you are talking about, however it is
pointing to 192.168.1.3 (the machine doing the DNATing), when dns is
requested internally.
I realise I could create another domain name for this particular
service, which would be quite an elegant solution, however this is
only a temporary measure for the next few weeks.
Because I am about to make the DNAT machine redundant.

Thanks for helping me out in my problem.

Cheers,

-Joel