problems with iptables redirect of ssh
Ruben Laban
r.laban at ism.nl
Tue Jan 29 07:18:47 UTC 2008
On Monday 28 January 2008, Luca Ferrari wrote:
> On Monday 28 January 2008 Ruben Laban's cat, walking on the keyboard, wrote:
> > It most likely works, just not to/from localhost. The PREROUTING chain is
> > *not* used for such local traffic. If you'd test from another box in your
> > lan, it will most likely show you the desired results.
>
> Yeah, thanks you were right! It does not work for localhost. Now, more
> difficult: if I'd like to forward ssh to another host, the following line
> should work
>
> $IPTABLES -t nat -I PREROUTING -p tcp --dport 2222 -j DNAT --to
> 192.168.1.4:22
>
> but when I try to connect from another host to the port 2222 I get blocked
> (i.e., the connection waits) and nothing happens.....Any suggestion?
Are you testing from inside your lan now by any chance? Since that wouldn't
work either in this scenario (the DNAT actually becomes an icmp redirect and
most machines ignores those). If you'd check from outside your LAN, you'll
see that it most likely will work. If you'd check with wireshark/tcpdump on
the machines involved, you'll probably see that it's the reply traffic that
isn't working properly.
Regards,
--
Ruben
More information about the ubuntu-users
mailing list