[ale] Port fowarding

JK jknapka at kneuro.net
Fri Oct 30 02:10:43 EDT 2009


JK wrote:
> Atlanta Geek wrote:
>> Machine A is a client
>> Machine B is a router
>> Machine C is a server/host
>>
>> If we forward port 23 (for example) on a router to A server (C) for
>> example. Does the router need to be the server's gateway?
>> On server C does it look like traffic is coming from the router (B) or
>> the original client machine(A).
>>
> 
> 
> Depends on how you do it.
> 
> 1) Use iptables rules (untested, but something really similar to this will work):
> 
>    iptables -t nat -I PREROUTING -s Machine_A -d Machine_B -p tcp --dport 23 -j DNAT Machine_C
>    iptables -t nat -I POSTROUTING -s Machine_A -d Machine_C -p tcp --dport 23 -j SNAT Machine_B
> 
> Here the SNAT rule ensures that forwarded traffic appears to come from Machine B. (You should use IP 
> addrs in place of the machine names.)


Forgot to mention here: if Machine C had a route to Machine A via Machine B, then there would be no 
need for the SNAT rule -- the DNAT one by itself would do the job.  (Without this proviso, my 
comment that it "Depends on how you do it" makes no sense.)

Also, I should mention that those rules are overly-restrictive if you want to do general 
port-forwarding - they'll only forward traffic from Machine A. You'd probably rather use an ingress 
interface match (-i ethx) instead of a source match (-s Machine_A) to rewrite the traffic of interest.

-- JK



More information about the Ale mailing list