[Firewall] redirecting a port from INET to a different port on router
Philip A. Prindeville
philipp_subx at redfish-solutions.com
Fri Jan 2 00:39:52 CET 2009
Arno van Amersfoort wrote:
> AFAIK you don't need NAT enabled for the device to make this work. I
> once changed this to allow people to still forward ports even when
> NAT/masquerade was disabled. Only thing you need to make sure in this
> case is that your routing is setup properly.
> Darrick Hartman wrote:
>> Roman Mamedov wrote:
>>> On Tue, 30 Dec 2008 12:32:28 +0100
>>> Arno van Amersfoort <arnova at rocky.eld.leidenuniv.nl> wrote:
>>>> I think you could simply abuse the NAT_FORWARD_xxx variables for
>>>> this. Something like
>>> In fact, wouldn't 127.0.0.1 work here too?
>>> That way the redirect rule would not depend on host's INET (external)
>>> IP to stay permanent.
>> Interesting. I tried to use:
>> NAT_FORWARD_TCP="10101>192.168.1.1:101" (where 192.168.1.1 is the
>> internal IP address of the device that Arno's IPtable firewall is
>> running on) but I don't think we're really NAT'ing for the device
>> we're running on so it did not work. I'll have to try with
>> 127.0.0.1, but I don't think it's going to work.
I just tried it and it times out:
Jan 1 16:49:17 pbx user.info kernel: Connection attempt (PRIV): IN=br0 OUT= PHYSIN=eth0 MAC=00:00:24:c9:28:a4:00:01:64:d8:4c:1c:08:00 SRC=X.X.X.X DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=64209 DF PROTO=TCP SPT=43072 DPT=22 WINDOW=5840 RES=0x00 SYN
Tried it also for 127.0.0.1 (both were with 1.8.8o, but this hasn't changed significantly) and I get:
Jan 1 16:52:09 pbx user.warn kernel: martian destination 127.0.0.1 from Y.Y.Y.Y, dev br0
I think we need to have special handling for these packets... maybe using marking, for instance.
More information about the Firewall