Re: SSH Port Forwarding with iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Bill Hendrickson a écrit :
> okay, i simplified my script, and tried MASQUERADE vs FORWARD, and got
> it to work:
> 
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2022 -j DNAT
> --to-destination 172.16.0.101:22
> iptables -t nat -A POSTROUTING -j MASQUERADE
> 
> why does this way work?

Because MASQUERADE replaces the original source address (which the SSH
server cannot reach due to a missing default or subnet route) with the
address of the output interface eth1 (which the SSH server can reach).

The server did not reply to the SYN packets because there is no route in
its routing table for the client address.

> what are the ramifications of using
> masquerading, i.e., any reason i shouldn't adopt this method?

You don't need SNAT nor masquerade. It hides the real source address
from the server. You just need to add a proper route on the server so it
knows how to reach the client address via the router.

Besides, the SNAT rule proposed by Gaspar could not help because it
works on the external interface, while the missing route on the server
requires SNAT/MASQUERADE on the internal interface.

>> $IPT -A OUTPUT -o $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
>> $IPT -A OUTPUT -o $INT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

You don't need all the ACCEPT rules when the default policies are ACCEPT
and there are no DROP/REJECT rules.

>> $IPT -t nat -A PREROUTING -p tcp -i $EXT_IFACE -d $EXT_IP --dport
>> $SSH_PORT --sport 1024:65535 -j DNAT --to $SSH_HOST:22
>> $IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST
>> --dport $SSH_PORT --sport 1024:65535 -m state --state NEW -j ACCEPT

In the FORWARD chain the destination port has already been changed by
the DNAT rule just like the destination address, so this rule must match
on destination port 22, not on the original destination port.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux