Re: SSH Port Forwarding with iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: Bill Hendrickson <wjhendrickson@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: SSH Port Forwarding with iptables
Date: Tue, 29 Sep 2009 19:00:43 +0200	[thread overview]
Message-ID: <4AC23D3B.6050705@freemail.hu> (raw)
In-Reply-To: <a0017e7e0909290941h38aeafd3hda04418654bee004@mail.gmail.com>

Bill Hendrickson írta:
> Swifty,
> You nailed it - thanks!  I needed to do both things (set the default
> gw on internal server and use the rule).  Re: my other post, which is
> the better way to go, in your opinion - FORWARDing or MASQUERADing?
>   
Your welcome! :D

FORWARD is the chain...
MASQUERADING is a techique...
But to answer your question:
You are FORWARDing packets to and from your internal/external networks 
on the firewall/gateway.
If you have fix external IP then you should SNAT every packet that 
leaves your network.
If you have dynamic IP then you should MASQUERADE.
Your first attempt was unsuccessful because the external client expected 
the packets from the gateway and not from an "internal" unknown IP.

As of the manual:

   MASQUERADE
       This target is only valid in the nat table, in the POSTROUTING 
chain.  It should only be used with dynamically assigned IP (dialup) 
connections: if you have a static IP
       address,  you  should  use the SNAT target.  Masquerading is 
equivalent to specifying a mapping to the IP address of the interface 
the packet is going out, but also has
       the effect that connections are forgotten when the interface goes 
down.  This is the correct behavior when the next dialup  is  unlikely  
to  have  the  same  interface
       address (and hence any established connections are lost anyway).

Swifty

next prev parent reply	other threads:[~2009-09-29 17:00 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-29 15:16 SSH Port Forwarding with iptables Bill Hendrickson
2009-09-29 16:14 ` Bill Hendrickson
2009-10-01 10:37   ` Pascal Hambourg
2009-10-01 15:24     ` Bill Hendrickson
2009-10-01 22:07       ` Pascal Hambourg
2009-10-01 16:26     ` Gáspár Lajos
2009-09-29 16:16 ` Gáspár Lajos
2009-09-29 16:41   ` Bill Hendrickson
2009-09-29 17:00     ` Gáspár Lajos [this message]
2009-09-29 17:12       ` Bill Hendrickson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AC23D3B.6050705@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=netfilter@vger.kernel.org \
    --cc=wjhendrickson@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.