[PLUG] Iptables Nat Port Forwarding

LeRoy Cressy <ldc@lrcressy.com> · Thu, 08 Apr 2004 10:24:39 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Last night there was a question about how to get port 22 to 
automatically be forwarded to a machine inside a firewall to a private 
address.
DMZ="eth2"                      ## DMZ Ethernet Connection
EXT="eth0"                      ## Internet Ethernet Connection
# Create a block chain in the filter table
iptables -N block
iptables -A block -m state --state NEW -p tcp -i $EXT --dport 22 \
    -m limit --limit 1/hour  -j LOG --log-level info             \
    --log-prefix "SSH login Request "
iptables -A block -m state --state NEW -p tcp -i $EXT --dport 22 \
    -j ACCEPT


# Set up the ip forwarding for the local network to get to the outside:
iptables -t nat -A POSTROUTING -o $EXT -p tcp -s 192.168.1.0/24 \
    --dport 22   -j SNAT --to $RealIP
# This is important for ssh
iptables -t nat -A POSTROUTING -o $EXT -p tcp -s 192.168.1.0/24 \
    --dport 1024 -j SNAT --to $RealIP
# Allow these ports from the outside to be forwarded to the appropriate 
# machine:
iptables -t nat -A PREROUTING  -i $EXT -p tcp --dport 22   \
    -j DNAT --to 192.168.10.1
# Link together the filter INPUT and FORWARD chains to your block
# chain
iptables -A INPUT -j block
iptables -A FORWARD -j block
I realize that this these few rules are not very clear, but they work. 
Here is a little explanation:
1.  When you are doing NAT along with port forwarding a packet entering 
the firewall encounters the nat PREROUTING chain, which assigns it the 
destination address DNAT
2.  Then the packet encounters the fileter FORWARD chain which either 
allows it to pass ACCEPT or drops it DROP.
3.  For the response, the nat POSTROUTING chain needs to have the source 
address SNAT set for the packets coming from the private network.  For 
ssh sometime long ago I read that port 1024 in involved.
Hope that this helps
LeRoy :-)


- -- 
Rev. LeRoy D. Cressy   mailto:leroy@lrcressy.com   /\_/\

                       http://lrcressy.com        ( o.o )

                       Phone:  215-535-4037        > ^ <

                       FAX:    215-535-4285
gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA
For info on enigmail:    http://lrcressy.com/linux/mozilla.pdf
For info on gpg:         http://www.gnupg.org/
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFAdWCvP+/m2oUBr+oRAvHnAJ492df2g+YaUVy3OjcNawriqjYGAQCfU3xK
LowawnO5lrzH3dYA5g4INik=
=zfxr
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug