Re: SSH Port Forwarding with iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



okay, i simplified my script, and tried MASQUERADE vs FORWARD, and got
it to work:

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2022 -j DNAT
--to-destination 172.16.0.101:22
iptables -t nat -A POSTROUTING -j MASQUERADE

why does this way work?  what are the ramifications of using
masquerading, i.e., any reason i shouldn't adopt this method?
>
> #!/bin/bash
>
> modprobe iptable_nat
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> EXT_IFACE="eth0"
> EXT_IP="172.17.17.165"
> INT_IFACE="eth1"
>
> SSH_IP="172.16.0.101"
> SSH_PORT="2203"
>
> IPT="/sbin/iptables"
> $IPT -F
> $IPT -F -t nat
> $IPT -X
>
> $IPT -A OUTPUT -o $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A OUTPUT -o $INT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # wide open, for testing...
> $IPT -t nat -P PREROUTING ACCEPT
> $IPT -t nat -P POSTROUTING ACCEPT
> $IPT -t nat -P OUTPUT ACCEPT
>
> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A INPUT -i lo -j ACCEPT
>
> $IPT -t nat -A PREROUTING -p tcp -i $EXT_IFACE -d $EXT_IP --dport
> $SSH_PORT --sport 1024:65535 -j DNAT --to $SSH_HOST:22
> $IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST
> --dport $SSH_PORT --sport 1024:65535 -m state --state NEW -j ACCEPT
>
> $IPT -A FORWARD -j LOG --log-prefix "meh "
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux