Re: IPTABLES port forwarding woes

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Erich Weiler a écrit :
> 
> I'm having trouble setting up port forwarding on a linux host I have...
> Basically I have 2 machines. One has a public and a private IP address,
> the other just has a private address:
> 
> Machine 1:
> public IP: 120.1.1.10
> private IP: 10.1.1.50
> 
> Machine 2:
> private IP: 10.1.1.133
> 
> I want to ssh to port 2222 on machine 1 from the internet, on the public
> IP, and have it forward to port 22 on machine 2 on the private network.
>  I can't seem to open an SSH socket however when SSHing to port 2222 on
> machine 1's public IP address...  Note that I only want port 2222 routed
> to machine 2, all other ports should connect to machine 1 as normal.
> This is my current IP tables file on machine 1:
> 
> # Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [66:7948]
> -A FORWARD -d 10.1.3.133 -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m
> state --state NEW -j ACCEPT
> -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -p all -j ACCEPT
> -A INPUT -i eth1 -p all -j ACCEPT
> -A OUTPUT -o eth0 -p all -j ACCEPT
> -A OUTPUT -o eth1 -p all -j ACCEPT
> COMMIT
> # Completed on Wed May 28 20:56:31 2008
> # Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
> *nat
> :PREROUTING ACCEPT [451:32699]
> :POSTROUTING ACCEPT [2:236]
> :OUTPUT ACCEPT [2:236]
> -A PREROUTING -d 120.1.1.10 -i eth0 -p tcp -m tcp --dport 2222 -j DNAT
> --to-destination 10.1.3.133:22
> -A POSTROUTING -s 10.1.3.133 -o eth0 -j SNAT --to-source 120.1.1.10
> COMMIT
> # Completed on Wed May 28 20:56:31 2008

Note that ACCEPT-only rules are pointless when the default policy is 
already set to ACCEPT. However I see nothing that could cause the port 
forwarding to fail.

> This just doesn't seem to work - can anyone see where I'm going wrong? I
> guess I want machine 2 to see connections coming from machine 1 to be
> coming from machine 1's private IP, but I'm not sure the 'source IP' is
> being re-written when it's being forwarded to machine 2... Not sure...

No, the source address is not rewritten according to the above ruleset. 
It would require the following (minimal, feel free to add source, 
destination, protocol and port matches) rule :

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.1.1.50

However why would you want to do so ? It would hide the real source 
address from the SSH server on machine 2. Doesn't machine 2 use machine 
1's private address as default gateway ?

Maybe it's time to start your favourite packet sniffer on every interface.