[ale] port forwarding help

Michael D. Hirsch mhirsch at nubridges.com
Fri Apr 4 09:26:18 EST 2003


On Friday 04 April 2003 08:44 am, David Hamm wrote:
> When you port forward your port forwarding host has to be the gateway
> between your external client and internal client.  I'm not real clear on
> this but here's how I think it works.  Maybe one of the hard core TCP/IP
> folks can correct me on this.
>
> packet from ExternalHost looks like this
> src=ExternalHost_IP dst=Gateway_IP
>
> packet reaches the gateway and is changed to look like this and
> forwarded src=ExternalHost_IP dst=InternalHost_IP
>
> the internal host gets the packet and responds through the gateway.  The
> gateway then modifies the response packet to look like this.
> src=Gateway_IP dst=ExternalHost_IP
>
> So if you are port forwarding on a single subnet the InternalHost
> doesn't have to go through the gateway to talk to the ExternalHost.  The
> External host then receives an ACK packet from a host it hasn't sent a
> SYN packet. So it just ignores the returning data and your telnet
> session seems hung.

This makes sense.  So if I want to do this without being the gateway, I'll 
have to do NAT as well as port forward.  That way the packet is changed by 
the forwarder to look like (replacing gateway with forwarder in your 
notation):
forwarded src=Forwarder_IP dst=InternalHost_IP

This way the responder would reply to the forwarder, who would pass it on 
to the originator.  Hmm, that might work, even with 1 NIC.

Thanks,

Michael
>
>
>
>
> -----Original Message-----
> From: Michael D. Hirsch [mailto:mhirsch at nubridges.com]
> Sent: Thursday, April 03, 2003 3:21 PM
> To: ale at ale.org
> Subject: [ale] port forwarding help
>
>
> This seems simple, but I've been thumping my head against if for a while
> now.  All I want to do is forward anything to port xx to machine
> y.y.y.y.
>
> From reading docs it looks like all I need this:
>
> iptables -t nat -A PREROUTING -p tcp --dport xx -j DNAT --to y.y.y.y:xx
>
> I have made sure that port forwarding is turned on.
>
> I test by telnetting to port xx on the forwarding box, but never get a
> connection.
>
> One other possible complication, do I need to worry that I have only 1
> nic card?  So on my test box all the traffic is really on one network. 
> In production, of course, I will use multiple network cards.
>
> Thanks,
>
> Michael
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list