[ale] Port fowarding
JK
jknapka at kneuro.net
Fri Oct 30 02:10:43 EDT 2009
JK wrote:
> Atlanta Geek wrote:
>> Machine A is a client
>> Machine B is a router
>> Machine C is a server/host
>>
>> If we forward port 23 (for example) on a router to A server (C) for
>> example. Does the router need to be the server's gateway?
>> On server C does it look like traffic is coming from the router (B) or
>> the original client machine(A).
>>
>
>
> Depends on how you do it.
>
> 1) Use iptables rules (untested, but something really similar to this will work):
>
> iptables -t nat -I PREROUTING -s Machine_A -d Machine_B -p tcp --dport 23 -j DNAT Machine_C
> iptables -t nat -I POSTROUTING -s Machine_A -d Machine_C -p tcp --dport 23 -j SNAT Machine_B
>
> Here the SNAT rule ensures that forwarded traffic appears to come from Machine B. (You should use IP
> addrs in place of the machine names.)
Forgot to mention here: if Machine C had a route to Machine A via Machine B, then there would be no
need for the SNAT rule -- the DNAT one by itself would do the job. (Without this proviso, my
comment that it "Depends on how you do it" makes no sense.)
Also, I should mention that those rules are overly-restrictive if you want to do general
port-forwarding - they'll only forward traffic from Machine A. You'd probably rather use an ingress
interface match (-i ethx) instead of a source match (-s Machine_A) to rewrite the traffic of interest.
-- JK
More information about the Ale
mailing list