[Firewall] redirecting a port from INET to a different port on router

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Jan 20 17:00:40 CET 2009

I just tested the NAT forwards here in my test environment without 
NAT/Masquerade enabled with aif 1.9.0, and this works out of the box. No 
additional masq-rules required as I previously suspected. Apparently the 
connection tracking is taking care of this. Leaves us why it doesn't 
work in this scenario. Will try to test that too somewhere this week.



Philip A. Prindeville wrote:
> I had a default gateway...
> -Philip
> Arno van Amersfoort wrote:
>> I will try to test this myself ASAP. Note that you do need to have a 
>> default gateway setup to make this work....
>> a.
>> Philip A. Prindeville wrote:
>>> Just did a build... testing now...
>>> Didn't work:
>>> Jan 14 22:54:33 pbx user.info kernel: AIF:PRIV connect attempt: 
>>> IN=ppp0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 
>>> PREC=0x00 TTL=55 ID=61868 DF PROTO=TCP SPT=48197 DPT=22 WINDOW=5840 
>>> RES=0x00 SYN URGP=0
>>> I tried forwarding it to:
>>> xxx>y.y.y.y~22
>>> where "xxx" is the relocated port, and "y.y.y.y" is my external IP 
>>> address. Didn't work.
>>> Also tried:
>>> xxx>
>>> which is one of my inside addresses, and that didn't work either.
>>> I suspect the connection state might not be set up correctly.
>>> -Philip
>>> Arno van Amersfoort wrote:
>>>> Just added some code that could potentially fix this, please grab 
>>>> the latest nightly/devel script, test and report back.....
>>>> a.
>>>> Arno van Amersfoort wrote:
>>>>> I think the problem is the route back, which is normally handled by 
>>>>> NAT. I'll try to think about a clever solution for this....
>>>>> a.
>>>>> Philip A. Prindeville wrote:
>>>>>> Arno van Amersfoort wrote:
>>>>>>> AFAIK you don't need NAT enabled for the device to make this 
>>>>>>> work. I once changed this to allow people to still forward ports 
>>>>>>> even when NAT/masquerade was disabled. Only thing you need to 
>>>>>>> make sure in this case is that your routing is setup properly.
>>>>>>> a.
>>>>>>> Darrick Hartman wrote:
>>>>>>>> Roman Mamedov wrote:
>>>>>>>>> On Tue, 30 Dec 2008 12:32:28 +0100
>>>>>>>>> Arno van Amersfoort <arnova at rocky.eld.leidenuniv.nl> wrote:
>>>>>>>>>> I think you could simply abuse the NAT_FORWARD_xxx variables for
>>>>>>>>>> this. Something like
>>>>>>>>>> NAT_FORWARD_TCP="10101>{HOST_IP}:101"
>>>>>>>>>> a.
>>>>>>>>> In fact, wouldn't work here too?
>>>>>>>>>> NAT_FORWARD_TCP="10101>"
>>>>>>>>> That way the redirect rule would not depend on host's INET 
>>>>>>>>> (external)
>>>>>>>>> IP to stay permanent.
>>>>>>>> Interesting. I tried to use: 
>>>>>>>> NAT_FORWARD_TCP="10101>" (where is 
>>>>>>>> the internal IP address of the device that Arno's IPtable 
>>>>>>>> firewall is running on) but I don't think we're really NAT'ing 
>>>>>>>> for the device we're running on so it did not work. I'll have to 
>>>>>>>> try with, but I don't think it's going to work.
>>>>>> I just tried it and it times out:
>>>>>> Jan 1 16:49:17 pbx user.info kernel: Connection attempt (PRIV): 
>>>>>> IN=br0 OUT= PHYSIN=eth0 
>>>>>> MAC=00:00:24:c9:28:a4:00:01:64:d8:4c:1c:08:00 SRC=X.X.X.X 
>>>>>> DST= LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=64209 DF 
>>>>>> PROTO=TCP SPT=43072 DPT=22 WINDOW=5840 RES=0x00 SYN
>>>>>> Tried it also for (both were with 1.8.8o, but this 
>>>>>> hasn't changed significantly) and I get:
>>>>>> Jan 1 16:52:09 pbx user.warn kernel: martian destination 
>>>>>> from Y.Y.Y.Y, dev br0
>>>>>> I think we need to have special handling for these packets... 
>>>>>> maybe using marking, for instance.
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
Arno's (Linux IPTABLES Firewall) Homepage:

More information about the Firewall mailing list