Port forwarding

[ksurakka]

Hello,

I need to connect to a server from my home (using DameWare remote control software). You have to have static IP to connect that server, because firewall is opened only for specific IPs. I don't have static IP in my home, but I have Debian server which have.

I tried to test port forwarding (to forwad myserver:1234 to google.com:80), but it does not work. I did following setup:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1234 -j DNAT --to 209.85.135.103:80

iptables -A FORWARD -p tcp -m state --state NEW --dport 1234 -i eth0 -j ACCEPT


Can I/how I can connect to server via my Debian server?

Am I missing some fundamental information about port forwading?


Thank you for any help
Kari Surakka

[kapsikum]

Hello,

I need to connect to a server from my home (using DameWare remote control software). You have to have static IP to connect that server, because firewall is opened only for specific IPs. I don't have static IP in my home, but I have Debian server which have.

I tried to test port forwarding (to forwad myserver:1234 to google.com:80), but it does not work. I did following setup:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1234 -j DNAT --to 209.85.135.103:80

iptables -A FORWARD -p tcp -m state --state NEW --dport 1234 -i eth0 -j ACCEPT


Can I/how I can connect to server via my Debian server?

Am I missing some fundamental information about port forwading?


Thank you for any help
Kari Surakka

Can you describe your setup. With this information, it doesn't looks like you are attempting a valid thing. I assume you are trying to connect to an external server (not present in your local setup like google.com etc. etc. and hence outgoing connection) and you are thinking of a port-forwarding rule, which generally is applied to accept the incoming connections and to redirect to some predefined destination that too generally in local setup/zone. Also you say that the firewally will accept some specific IPs and you are not one among that. Since firewall will filterout on the basis of source IP, DNAT wont help here. So will the SNA, as the spoofed packets (containing one of the acceptable IP address as source) will pass throught the firewall but will be replied to that spoofed source and not your IP and this is not what you want.

[jippie]

You shouldn't need the FORWARD chain. You need to set ip_forwarding in /etc/sysctl.conf on your server.

Code:

net.ipv4.ip_forward=1

I think you also have to do something similar like the following:

Code:

-A PREROUTING -d <remote_ip> -o eth0 -m comment --comment "Route traffic from my home to DameWare" -j MASQUERADE

but I cannot check this. Should give you enough input to Google around a little more.

Use the comment option in your iptables lines. Trust me, you'll forget the use of the line before you know it.

[dry_egg]

thank you very much!