> > I'd like to know whether it is possible to do this kind of thing with > > iptables. I'd like to configure my firewall/router so that all the packets > > to the port 80 from the Internet (from specific addresses) are forwarded > > automatically to the ssh-port on another host on the Internet (not on my > > home lan). > > No, not that easily. NAT cannot solve this problem; you'll need a proxy > of some sort. The reason is that the return packets from the actual > destination host would never be un-NAT-ed; you'd get something like > this: > > B => SYN => A > A* => SYN => C * A forwards the packet with the source address as B > C => SYN/ACK => B > B => RST => C > > Where A is your firewall, C is the destination (the one running sshd) > and B is the source. When C tries to reply to B, B ignores it and > continues to wait for replies from A, which never come. The way it > works when using DNAT to a host on your LAN (not elsewhere on the > internet) is that C's return packet (the SYN/ACK above) passes back > through A, who rewrites the source address to A, and C happily thinks > it's communicating with A directly, with no knowledge that A is actually > just forwarding and rewriting packets.
I have not tried yet, but I think it should be possible with iptables and NAT. DNAT just as described above works well inside your LAN (with private IP's) because then you have a MASQUERADING/SNATing router. If you want it to work on the outside too, you'll have to apply some SNAT rules on these packets too. What happens is: B opens a connection to A (connID1, B(highport)->A(80)) A itself opens a connection to C (connID2, A(highport)->C(destport)) All packets on connID1 get forwarded to connID2 and vice versa. Thus results in B,C communicating with A, but answers and requests just get forwarded. Problem: You got lots of traffic on B. Try it out and tell me if it worked. Michael.
