[Firewall] redirecting a port from INET to a different port on router

Philip A. Prindeville philipp_subx at redfish-solutions.com
Thu Jan 15 07:47:22 CET 2009

Just did a build... testing now...

Didn't work:

Jan 14 22:54:33 pbx user.info kernel: AIF:PRIV connect attempt: IN=ppp0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=61868 DF PROTO=TCP SPT=48197 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

I tried forwarding it to:


where "xxx" is the relocated port, and "y.y.y.y" is my external IP address.  Didn't work.

Also tried:


which is one of my inside addresses, and that didn't work either.

I suspect the connection state might not be set up correctly.


Arno van Amersfoort wrote:
> Just added some code that could potentially fix this, please grab the 
> latest nightly/devel script, test and report back.....
> a.
> Arno van Amersfoort wrote:
>> I think the problem is the route back, which is normally handled by 
>> NAT. I'll try to think about a clever solution for this....
>> a.
>> Philip A. Prindeville wrote:
>>> Arno van Amersfoort wrote:
>>>> AFAIK you don't need NAT enabled for the device to make this work. 
>>>> I once changed this to allow people to still forward ports even 
>>>> when NAT/masquerade was disabled. Only thing you need to make sure 
>>>> in this case is that your routing is setup properly.
>>>> a.
>>>> Darrick Hartman wrote:
>>>>> Roman Mamedov wrote:
>>>>>> On Tue, 30 Dec 2008 12:32:28 +0100
>>>>>> Arno van Amersfoort <arnova at rocky.eld.leidenuniv.nl> wrote:
>>>>>>> I think you could simply abuse the NAT_FORWARD_xxx variables for
>>>>>>> this. Something like
>>>>>>> NAT_FORWARD_TCP="10101>{HOST_IP}:101"
>>>>>>> a.
>>>>>> In fact, wouldn't work here too?
>>>>>>> NAT_FORWARD_TCP="10101>"
>>>>>> That way the redirect rule would not depend on host's INET 
>>>>>> (external)
>>>>>> IP to stay permanent.
>>>>> Interesting.   I tried to use: 
>>>>> NAT_FORWARD_TCP="10101>" (where is the 
>>>>> internal IP address of the device that Arno's IPtable firewall is 
>>>>> running on) but I don't think we're really NAT'ing for the device 
>>>>> we're running on so it did not work.  I'll have to try with 
>>>>>, but I don't think it's going to work.
>>> I just tried it and it times out:
>>> Jan  1 16:49:17 pbx user.info kernel: Connection attempt (PRIV): 
>>> IN=br0 OUT= PHYSIN=eth0 
>>> MAC=00:00:24:c9:28:a4:00:01:64:d8:4c:1c:08:00 SRC=X.X.X.X 
>>> DST= LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=64209 DF 
>>> PROTO=TCP SPT=43072 DPT=22 WINDOW=5840 RES=0x00 SYN
>>> Tried it also for (both were with 1.8.8o, but this hasn't 
>>> changed significantly) and I get:
>>> Jan  1 16:52:09 pbx user.warn kernel: martian destination 
>>> from Y.Y.Y.Y, dev br0
>>> I think we need to have special handling for these packets...  maybe 
>>> using marking, for instance.

More information about the Firewall mailing list