[ale] Port fowarding

Atlanta Geek atlantageek at gmail.com
Fri Oct 30 11:11:21 EDT 2009 

Thanks JK
By dropping the 'Machine_A' this does exactly what I need.
Actually you answered two of my questions for me. I was only doing the
PREROUTING command and I know a previous co-worker had this working
before with only prerouting.  Then I realized he was doing exactly as
you said.  Machine B was Machine C's Gateway.


On Fri, Oct 30, 2009 at 2:10 AM, JK <jknapka at kneuro.net> wrote:
> JK wrote:
>> Atlanta Geek wrote:
>>> Machine A is a client
>>> Machine B is a router
>>> Machine C is a server/host
>>>
>>> If we forward port 23 (for example) on a router to A server (C) for
>>> example. Does the router need to be the server's gateway?
>>> On server C does it look like traffic is coming from the router (B) or
>>> the original client machine(A).
>>>
>>
>>
>> Depends on how you do it.
>>
>> 1) Use iptables rules (untested, but something really similar to this will work):
>>
>>    iptables -t nat -I PREROUTING -s Machine_A -d Machine_B -p tcp --dport 23 -j DNAT Machine_C
>>    iptables -t nat -I POSTROUTING -s Machine_A -d Machine_C -p tcp --dport 23 -j SNAT Machine_B
>>
>> Here the SNAT rule ensures that forwarded traffic appears to come from Machine B. (You should use IP
>> addrs in place of the machine names.)
>
>
> Forgot to mention here: if Machine C had a route to Machine A via Machine B, then there would be no
> need for the SNAT rule -- the DNAT one by itself would do the job.  (Without this proviso, my
> comment that it "Depends on how you do it" makes no sense.)
>
> Also, I should mention that those rules are overly-restrictive if you want to do general
> port-forwarding - they'll only forward traffic from Machine A. You'd probably rather use an ingress
> interface match (-i ethx) instead of a source match (-s Machine_A) to rewrite the traffic of interest.
>
> -- JK
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
http://www.atlantageek.com

More information about the Ale mailing list