[Firewall] Help: setting up port-forwarding

Philip Prindeville philipp_subx at redfish-solutions.com
Mon Nov 5 16:03:43 MST 2007


Sorry, typo in the script:

2201>191.168.1.1:22

but this still doesn't work unless I have:

OPEN_TCP="22"

without it, I get a timeout on 2201...  but with it, I can still connect 
to $EXT_IF:22 .... which defeats the purpose of wanting to "relocate" 
the port to somewhere that port-scanners aren't going to look for it.

So just having NAT_TCP_FORWARD forward to a local port doesn't expose 
that port as well...

Perhaps writing:

2201>:22

could have that implied significance (i.e. this particular special case)?

-Philip




Philip Prindeville wrote:
> If I just use:
>
> NAT_TCP_FORWARD=<<__EOF__
> ...
> :2201>192.168.1.1:22
> __EOF__
>
> (where 192.168.1.1 is the interior address of my Firewall box) then I 
> get "connection refused" when I try to putty in...
>
> But I don't see anything in the logs...  Hmmm...  should I try:
>
> :2201>:22
>
> instead?
>
> -Philip
>
>
> Arno van Amersfoort wrote:
>   
>> You never need to specify an additional OPEN_xxx for a port forward is 
>> this the forwarding is performed in the prerouting chain. So in this 
>> case OPEN_TCP="22" is useless....
>>
>> a.
>>
>> Niklas wrote:
>>   
>>     
>>> On Sat, 3 Nov 2007 21:47:11 +0100, Neptunek wrote:
>>>     
>>>       
>>>> 2007/11/2, Philip Prindeville <philipp_subx at redfish-solutions.com>:
>>>>
>>>>       
>>>>         
>>>>> Ok, well, since there's no Howto or FAQ available, I'll just put
>>>>> the question out there about what I want to do.
>>>>>
>>>>>
>>>>>         
>>>>>           
>>>> FAQ: (http://rocky.eld.leidenuniv.nl/page/iptables/qafaq.htm) Q:  I
>>>> want to forward (DNAT) from port 81 on my the firewall machine to
>>>> port 80 on a local host (192.168.0.3). How can I do this? A: You
>>>> can do this in almost the same way is a normal forward, only thing
>>>> you need to add is :81 to the localhost in the TCP_FORWARD /
>>>> UDP_FORWARD variables. In this case it would become
>>>> "81>192.168.0.3:80"
>>>>
>>>>       
>>>>         
>>>>> Here's where things get a little more complicated.  I want to
>>>>> relocate Ssh as:
>>>>>
>>>>> 2201>192.168.1.1:22
>>>>> 2202>192.168.1.2:22
>>>>> 2203>192.168.1.3:22
>>>>>
>>>>>         
>>>>>           
>>>> So this is correct and NAT_TCP_FORWARD = 2201>192.168.1.1:22 must
>>>> work good, but I don't check it :)
>>>>       
>>>>         
>>> It does work if you open port 22 in the OPEN_TCP line as well, otherwice it will be blocked by the firewall. So i can't give you any help... Maybe do a portforward of 22 to something that is not in use...
>>>
>>> /niklas
>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>>     
>>>       
>>   
>>     
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>   




More information about the Firewall mailing list