[ale] port forwarding help

Joe jknapka at earthlink.net
Sat Apr 5 05:45:21 EST 2003 

"Michael D. Hirsch" <mhirsch at nubridges.com> writes:

> On Friday 04 April 2003 08:44 am, David Hamm wrote:
> > When you port forward your port forwarding host has to be the gateway
> > between your external client and internal client.  I'm not real clear on
> > this but here's how I think it works.  Maybe one of the hard core TCP/IP
> > folks can correct me on this.
> >
> > packet from ExternalHost looks like this
> > src=ExternalHost_IP dst=Gateway_IP
> >
> > packet reaches the gateway and is changed to look like this and
> > forwarded src=ExternalHost_IP dst=InternalHost_IP
> >
> > the internal host gets the packet and responds through the gateway.  The
> > gateway then modifies the response packet to look like this.
> > src=Gateway_IP dst=ExternalHost_IP
> >
> > So if you are port forwarding on a single subnet the InternalHost
> > doesn't have to go through the gateway to talk to the ExternalHost.  The
> > External host then receives an ACK packet from a host it hasn't sent a
> > SYN packet. So it just ignores the returning data and your telnet
> > session seems hung.
> 
> This makes sense.  So if I want to do this without being the gateway, I'll 
> have to do NAT as well as port forward.  That way the packet is changed by 
> the forwarder to look like (replacing gateway with forwarder in your 
> notation):
> forwarded src=Forwarder_IP dst=InternalHost_IP
>
> This way the responder would reply to the forwarder, who would pass it on 
> to the originator.  Hmm, that might work, even with 1 NIC.

Your problem appears to be that you're trying to do this on a single
IP subnet. It doesn't matter the least how many NICs you have; the
critical thing is that *there has to be a logical need to forward
packets*, which means you have to have multiple (logical) IP subnets
(even if you've only got one physical network segment).

The way one would typically set this up is as follows, on a single
physical segment:

Subnet A: 191.168.8.0/24
Subnet B: 191.168.9.0/24

So you have, say, three machines in the .8 subnet and three others
in the .9 subnet. Your gateway then has its NIC set up to have
one address in the .8 subnet (say 192.168.8.1), and a virtual interface
(eth0:1, for example) with an address in the .9 subnet (say 192.168.9.1).

You tell all the .8 machines that:

route add -net 191.168.9.0 gw 192.168.8.1 metric 1

and you tell all the .9 machines:

route add -net 191.168.8.0 gw 192.168.9.1 metric 1

The .8 machines and the .9 machines will then act as if they are on
entirely separate network segments, and will use the gateway as their
router. This works because as far as the network stack knows, separate
IP subnets *implies* separate physical segments (and that's a valid
implication in the absence of virtual interfaces). The network stack
knows that when you're on the same physical segment with the machine
you're talking to, you can just ARP it and send packets directly, so
it won't ever try to contact a router in that case; but if you're on
different segments, by definition you have to go through a router.

Cheers,

-- Joe Knapka (not that other Joe :-)

> Thanks,
> 
> Michael
> >
> >
> >
> >
> > -----Original Message-----
> > From: Michael D. Hirsch [mailto:mhirsch at nubridges.com]
> > Sent: Thursday, April 03, 2003 3:21 PM
> > To: ale at ale.org
> > Subject: [ale] port forwarding help
> >
> >
> > This seems simple, but I've been thumping my head against if for a while
> > now.  All I want to do is forward anything to port xx to machine
> > y.y.y.y.
> >
> > From reading docs it looks like all I need this:
> >
> > iptables -t nat -A PREROUTING -p tcp --dport xx -j DNAT --to y.y.y.y:xx
> >
> > I have made sure that port forwarding is turned on.
> >
> > I test by telnetting to port xx on the forwarding box, but never get a
> > connection.
> >
> > One other possible complication, do I need to worry that I have only 1
> > nic card?  So on my test box all the traffic is really on one network. 
> > In production, of course, I will use multiple network cards.
> >
> > Thanks,
> >
> > Michael
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list