From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: Bill Hendrickson <wjhendrickson@gmail.com>
Cc: netfilter list <netfilter@vger.kernel.org>
Subject: Re: SSH Port Forwarding with iptables
Date: Thu, 01 Oct 2009 12:37:02 +0200 [thread overview]
Message-ID: <4AC4864E.4020404@plouf.fr.eu.org> (raw)
In-Reply-To: <a0017e7e0909290914v7a4efac0u69f7cfdeaf7bb4e2@mail.gmail.com>
Hello,
Bill Hendrickson a écrit :
> okay, i simplified my script, and tried MASQUERADE vs FORWARD, and got
> it to work:
>
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2022 -j DNAT
> --to-destination 172.16.0.101:22
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
> why does this way work?
Because MASQUERADE replaces the original source address (which the SSH
server cannot reach due to a missing default or subnet route) with the
address of the output interface eth1 (which the SSH server can reach).
The server did not reply to the SYN packets because there is no route in
its routing table for the client address.
> what are the ramifications of using
> masquerading, i.e., any reason i shouldn't adopt this method?
You don't need SNAT nor masquerade. It hides the real source address
from the server. You just need to add a proper route on the server so it
knows how to reach the client address via the router.
Besides, the SNAT rule proposed by Gaspar could not help because it
works on the external interface, while the missing route on the server
requires SNAT/MASQUERADE on the internal interface.
>> $IPT -A OUTPUT -o $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
>> $IPT -A OUTPUT -o $INT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
You don't need all the ACCEPT rules when the default policies are ACCEPT
and there are no DROP/REJECT rules.
>> $IPT -t nat -A PREROUTING -p tcp -i $EXT_IFACE -d $EXT_IP --dport
>> $SSH_PORT --sport 1024:65535 -j DNAT --to $SSH_HOST:22
>> $IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST
>> --dport $SSH_PORT --sport 1024:65535 -m state --state NEW -j ACCEPT
In the FORWARD chain the destination port has already been changed by
the DNAT rule just like the destination address, so this rule must match
on destination port 22, not on the original destination port.
next prev parent reply other threads:[~2009-10-01 10:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-29 15:16 SSH Port Forwarding with iptables Bill Hendrickson
2009-09-29 16:14 ` Bill Hendrickson
2009-10-01 10:37 ` Pascal Hambourg [this message]
2009-10-01 15:24 ` Bill Hendrickson
2009-10-01 22:07 ` Pascal Hambourg
2009-10-01 16:26 ` Gáspár Lajos
2009-09-29 16:16 ` Gáspár Lajos
2009-09-29 16:41 ` Bill Hendrickson
2009-09-29 17:00 ` Gáspár Lajos
2009-09-29 17:12 ` Bill Hendrickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AC4864E.4020404@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
--cc=wjhendrickson@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.