Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port forwarders - which one is best for HTTPS?

From: Ted Behling <ted-lists () monarchis net>
Date: Thu, 08 May 2003 13:09:00 -0400
At 04:47 AM 5/8/2003, Micha? Dobaczewski wrote:
In fact we are running Linux, but the forwarding serwer and the HTTPS server are located in completely different networks. We have made an attempt to use IPTables but we failed. It seemed to us, that IPTables is only capable of port forwarding within the local network. If you know how to forward connections to a completely different network then please offer a clue on how to do this or where exactly to look in the documentation, which is pretty large.
In that case, you'd have to translate both the source and destination addresses, which does effectively the same thing as rinetd. When forwarding to an internal machine that uses the port-forwarding gateway as its NAT'ing outbound gateway, you need to do only destination translation. If you do only dest. trans. when forwarding elsewhere on the Internet, packets inbound to the server will reach it, but the server will send response packets back to the original client IP; the client will reject them because they're from the wrong IP. You end up with a three-leg round trip rather than packets coming back through the port forwarder.
I'm pretty sure DNAT does not translate the source address, but I haven't verified this myself. You should run tcpdump at all points in the connection to see what's happening.
I snagged the following commands from http://www.computing.net/linux/wwwboard/forum/18478.html (google "iptables port forwarding") that will do both source and dest NAT: 

# ifconfig eth0 a.b.c.d
iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 412 -j DNAT --to 192.168.0.3:412
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.3:412 --source-port 412 -j SNAT --to a.b.c.d:412
Frankly, rinetd is much, much simpler, and is an acceptable solution. I'm actually using it permanently for a client with occasional inbound Citrix connections, and it hasn't let me down. I just don't know how well it scales. 

Ted Behling, Chief Penguin Surgeon
Monarch Information Systems, Inc.
tbehling () monarchis net

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: