[Firewall] redirecting a port from INET to a different port on router

Philip A. Prindeville philipp_subx at redfish-solutions.com
Fri Jan 2 00:39:52 CET 2009

Arno van Amersfoort wrote:
> AFAIK you don't need NAT enabled for the device to make this work. I 
> once changed this to allow people to still forward ports even when 
> NAT/masquerade was disabled. Only thing you need to make sure in this 
> case is that your routing is setup properly.
> a.
> Darrick Hartman wrote:
>> Roman Mamedov wrote:
>>> On Tue, 30 Dec 2008 12:32:28 +0100
>>> Arno van Amersfoort <arnova at rocky.eld.leidenuniv.nl> wrote:
>>>> I think you could simply abuse the NAT_FORWARD_xxx variables for
>>>> this. Something like
>>>> NAT_FORWARD_TCP="10101>{HOST_IP}:101"
>>>> a.
>>> In fact, wouldn't work here too?
>>>> NAT_FORWARD_TCP="10101>"
>>> That way the redirect rule would not depend on host's INET (external)
>>> IP to stay permanent.
>> Interesting.   I tried to use: 
>> NAT_FORWARD_TCP="10101>" (where is the 
>> internal IP address of the device that Arno's IPtable firewall is 
>> running on) but I don't think we're really NAT'ing for the device 
>> we're running on so it did not work.  I'll have to try with 
>>, but I don't think it's going to work.

I just tried it and it times out:

Jan  1 16:49:17 pbx user.info kernel: Connection attempt (PRIV): IN=br0 OUT= PHYSIN=eth0 MAC=00:00:24:c9:28:a4:00:01:64:d8:4c:1c:08:00 SRC=X.X.X.X DST= LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=64209 DF PROTO=TCP SPT=43072 DPT=22 WINDOW=5840 RES=0x00 SYN

Tried it also for (both were with 1.8.8o, but this hasn't changed significantly) and I get:

Jan  1 16:52:09 pbx user.warn kernel: martian destination from Y.Y.Y.Y, dev br0

I think we need to have special handling for these packets...  maybe using marking, for instance.

More information about the Firewall mailing list