[Techtalk] iptables NAT forwarding...
Conor Daly
conor.daly at oceanfree.net
Wed Jun 5 19:53:36 EST 2002
On Wed, Jun 05, 2002 at 10:17:39AM -0400 or so it is rumoured hereabouts,
Walt thought:
> caitlynmaire at earthlink.net wrote:
>
> >On Wed, 5 Jun 2002 09:46:38 -0400
> >"Davis, Jennifer" <JDavis at JUSTICE.GC.CA> wrote:
> >
> > > This topic seems very interesting. I never knew we could forward
> > > requests into a computer on the inside of the network. I was
> > > wondering how this would be done on an IPchains setup.
> >
> >Hi, Jennifer, and everyone else,
> >
> >You can't do it with ipchains. That's why iptables was developed, to
> >allow for a true network address translation (NAT) table which wasn't
> >available with the older ipchains package.
>
> ipmasqadm supposedly can do it on older kernels/
> ipchains systems, according to:
>
> http://www.ox.compsoc.net/~steve/portfw-2.2.html
>
> I was unable to use it, so I can't say from experience...
That's what I'm currently using. My earlier post relating to accepting
incoming traffic on the ssh port is the first bit and is followed by a
port forward to the server (since my firewall is on a dedicated box which
does nothing else). The forwarding rule looks like this:
----------------------------------------------------------------------------
# Enable port forwarding.
echo "Enabling IPPORTFW Redirection on the external LAN.."
/usr/sbin/ipmasqadm portfw -f
# This rule redirects traffic on port 22 (SSH) to the main internal server
# Forward incoming SSH port 22 to Server
# --------------------------------
/usr/sbin/ipmasqadm portfw -a -P tcp -L 192.168.1.254 22 -R 192.168.1.1 22
/usr/sbin/ipmasqadm portfw -a -P tcp -L $IPADDR 22 -R 192.168.1.1 22
# We want to allow connections to a second server also so we redirect port 23
# (telnet) to port 22 (SSH) on the second server
# Forward incoming SSH port 23 to Server2
# --------------------------------
/usr/sbin/ipmasqadm portfw -a -P tcp -L $IPADDR 23 -R 192.168.1.3 22
/usr/sbin/ipmasqadm portfw -a -P tcp -L 192.168.1.254 23 -R 192.168.1.3 22
There is a portfw patch or module required to do this with ipchains. I'll
have a dig and see if I can come up with the method.
That's it!
Conor
--
Conor Daly <conor.daly at oceanfree.net>
Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
7:37pm up 13 days, 4:55, 0 users, load average: 0.08, 0.02, 0.01
Hobbiton.cod.ie
7:40pm up 13 days, 5:01, 2 users, load average: 0.16, 0.08, 0.02
More information about the Techtalk
mailing list