[Firewall] Help: setting up port-forwarding

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Wed Nov 7 00:32:42 MST 2007


Setting NAT_TCP_FORWARD="2201>192.168.1.1:22" and leaving port 22 out of 
OPEN_TCP, *should* work. As I already said, you never need to open 
additional ports for port forwards, as these packets are processed in 
the PREROUTING chain. I'm currently having vacation but as soon as I get 
back at the university (next monday) I will try your configuration. 
Maybe, just maybe, a bug is creeping around somewhere....

You don't see any (strange) packet drop or other messages in your 
firewall/kernel log?

a.

Philip Prindeville wrote:
> Well, I'm still not getting it.  If I have:
> 
> NAT_TCP_FORWARD="2201>192.168.1.1:22"
> 
> and 192.168.1.1 is my local (internal) address, then how do I accept 
> connections on my public side on 2201, but not on my public side on 22?  
> (And of course, accept connections on my private side on 22...)
> 
> Or isn't that something I can do?
> 
> Do I need to run to instances of "sshd" instead, and have each one 
> specifically bind to an interface and port?
> 
> I was hoping to avoid that.
> 
> -Philip
> 
> 
> Arno van Amersfoort wrote:
>> You never need to specify an additional OPEN_xxx for a port forward is 
>> this the forwarding is performed in the prerouting chain. So in this 
>> case OPEN_TCP="22" is useless....
>>
>> a.
>>   
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list