Re: Local to Local via firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2009-07-31 at 17:24 +0100, Andrew Clayton wrote:
> On Fri, 31 Jul 2009 18:06:21 +0200, Thomas Jacob wrote:
> 
> > On Fri, 2009-07-31 at 14:42 +0100, Andrew Clayton wrote:
> > [.. accessing outside IPs on a NAT router from
> > the inside network ...]
> > 
> > > I can't help but think I'm missing something simple. Then again does
> > > what I'm trying to do make sense?
> > 
> > Just don't DNAT/SNAT packets from the internal network to
> > your public IPs, there is no need for it anyway.
> > 
> > e.g. do something like this before your other DNATs
> > 
> > $IPTABLES -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -p tcp -d
> > $HOST_E -j RETURN
> > 
> > Plus, of course, you need to allow access to that IP/port from the
> > internal network in the INPUT chain of the filter table.
> 
> Thanks for the reply. Unfortunately with the above rule, the ssh just
> ends up going to the firewall and not the host. The firewall is
> configured with the IP address of $HOST_E which is where the DNAT comes
> in to change it to it's internal IP.

Ah yes, the ssh  server is on a DNATed internal machine, sorry about.

In that case you need to SNAT your request to the local machine as well,
and also keep the original DNAT rule:

So:

$IPTABLES -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -p tcp -d
$HOST_E --dport 22 -j DNAT --to-destination $HOST_I

+

$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/16 -p tcp -d
$HOST_I --dport 22 -j SNAT --to-destination <Internal-Router-IP>


should get you there.

Just tried that on a similar setup and it worked well for me, I can ssh
to myself via the NAT router by contacting the NAT routers public IP ;)

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux