From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pascal Hambourg Subject: Re: IPTABLES port forwarding woes Date: Fri, 30 May 2008 15:53:07 +0200 Message-ID: <484006C3.3010401@plouf.fr.eu.org> References: <48400009.1070308@soe.ucsc.edu> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <48400009.1070308@soe.ucsc.edu> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: netfilter@vger.kernel.org Hello, Erich Weiler a =E9crit : >=20 > I'm having trouble setting up port forwarding on a linux host I have.= =2E. > Basically I have 2 machines. One has a public and a private IP addres= s, > the other just has a private address: >=20 > Machine 1: > public IP: 120.1.1.10 > private IP: 10.1.1.50 >=20 > Machine 2: > private IP: 10.1.1.133 >=20 > I want to ssh to port 2222 on machine 1 from the internet, on the pub= lic > IP, and have it forward to port 22 on machine 2 on the private networ= k. > I can't seem to open an SSH socket however when SSHing to port 2222 = on > machine 1's public IP address... Note that I only want port 2222 rou= ted > to machine 2, all other ports should connect to machine 1 as normal. > This is my current IP tables file on machine 1: >=20 > # Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [66:7948] > -A FORWARD -d 10.1.3.133 -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m > state --state NEW -j ACCEPT > -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth0 -p all -j ACCEPT > -A INPUT -i eth1 -p all -j ACCEPT > -A OUTPUT -o eth0 -p all -j ACCEPT > -A OUTPUT -o eth1 -p all -j ACCEPT > COMMIT > # Completed on Wed May 28 20:56:31 2008 > # Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008 > *nat > :PREROUTING ACCEPT [451:32699] > :POSTROUTING ACCEPT [2:236] > :OUTPUT ACCEPT [2:236] > -A PREROUTING -d 120.1.1.10 -i eth0 -p tcp -m tcp --dport 2222 -j DNA= T > --to-destination 10.1.3.133:22 > -A POSTROUTING -s 10.1.3.133 -o eth0 -j SNAT --to-source 120.1.1.10 > COMMIT > # Completed on Wed May 28 20:56:31 2008 Note that ACCEPT-only rules are pointless when the default policy is=20 already set to ACCEPT. However I see nothing that could cause the port=20 forwarding to fail. > This just doesn't seem to work - can anyone see where I'm going wrong= ? I > guess I want machine 2 to see connections coming from machine 1 to be > coming from machine 1's private IP, but I'm not sure the 'source IP' = is > being re-written when it's being forwarded to machine 2... Not sure..= =2E No, the source address is not rewritten according to the above ruleset.= =20 It would require the following (minimal, feel free to add source,=20 destination, protocol and port matches) rule : iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.1.1.50 However why would you want to do so ? It would hide the real source=20 address from the SSH server on machine 2. Doesn't machine 2 use machine= =20 1's private address as default gateway ? Maybe it's time to start your favourite packet sniffer on every interfa= ce.