Re: [PLUG] Iptables Nat Port Forwarding

Dan Widyono on 9 Apr 2004 13:56:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Iptables Nat Port Forwarding

From: Dan Widyono <dan@widyono.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Iptables Nat Port Forwarding

Date: Fri, 9 Apr 2004 09:55:45 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.4.1i

I was the one raising the question. I use gShield which sets up iptables for you. The script it uses is as follows (which doesn't work; incoming SYN packet gets seen by server, but ACK packet never makes it back to client on outside). $IPTABLES -A INPUT -p tcp -d $SSHD_HOST --dport 22 -j ACCEPT $IPTABLES -A INPUT -p udp -d $SSHD_HOST --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $SSHD_HOST --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $SSHD_HOST --dport 22 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 22 -j DNAT --to $SSHD_HOST:22 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 22 -j DNAT --to $SSHD_HOST:22 This is from gShield v2 (above is from services.rules, and I updated that to the latest version available). When I have time I'll do full debugging, but it seems like the basic stuff is in place for it to be able to work, according to all the responses I got. That's really the answer I needed: people expect it to work. I'm not sure if the SNAT stuff is horking the DNAT stuff... but it shouldn't be. Thanks, Dan W. On Fri, Apr 09, 2004 at 12:20:05AM -0400, Michael C. Toren wrote: > On Thu, Apr 08, 2004 at 10:24:39AM -0400, LeRoy Cressy wrote: > > Last night there was a question about how to get port 22 to > > automatically be forwarded to a machine inside a firewall to a private > > address. > > [..] > > That's a good deal of boilerplate, but the only iptables rule you should > need is something along the lines of: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 \ > -j DNAT --to 192.168.42.11:22 > > (Assuming eth0 is the external interface.) > > -mct > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug -- -- Daniel Widyono -- -- www.widyono.net -- -- www.cis.upenn.edu/~widyono -- -- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] Iptables Nat Port Forwarding
From: LeRoy Cressy <ldc@lrcressy.com>

Re: [PLUG] Iptables Nat Port Forwarding
From: "Michael C. Toren" <mct@toren.net>

Prev by Date: Re: [PLUG] wireless networks, web browsing, and forced pages

Next by Date: Re: [PLUG] story of the 419 scammer/spammer being caught

Previous by thread: Re: [PLUG] Iptables Nat Port Forwarding

Next by thread: [PLUG] non-free books [Ad for AW/PH]

Index(es):

Date

Thread