Ssh – How to forward the HTTP and SSH port to the internal server using iptables

httpiptablesport-forwardingroutingssh

I do not have the router so I made my CentOS 6.4 Linux system into a router, forwarding the public network traffic to my local LAN.
It has two NIC cards, one for the public IP address (eth1) and another for the private IP address (eth2).

I have a server connected to my local LAN, let's say at 192.168.1.2.

Router

eth1: x.x.x.x, the public IP address
eth2: 192.168.1.1, the internal router address

When someone from an outside network runs ssh on the public IP, it should be redirected to the server:

ssh x.x.x.x or using PuTTY

I disabled the SELinux and iptables firewall on the server.
I tried some iptables modifications on the Linux system router, but the SSH request is still not redirected:

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.2:22

I also want to forward all HTTP (80) traffic to my internal server using iptables from the same Linux system router.

Best Answer

First of all make sure the packet forwarding is enabled in the kernel

# echo 1 > /proc/sys/net/ipv4/ip_forward

You can also make it permanent by adding below line to /etc/sysctl.conf

net.ipv4.ip_forward = 1

You have to do this on Linux Machine acting as a router. You can try the following rule on router machine.

iptables -t nat -A PREROUTING -i eth1 -d x.x.x.x -p tcp --dport 22 -j  DNAT --to-destination 192.168.1.2:22

Also let us know the output of your NAT Rules from the router box.

iptables -t nat -L -n -v

Related Solutions

Linux – Force local IP traffic to an external interface

I expanded on caladona's answer since I could not see response packets. For this example:

On my local PC I have NIC's on different subnets, 192.168.1/24, 192.168.2/24
There is an external router/PC that has access to both subnets.
I want to send bi-directional traffic over the NICs on the local PC.
The configuration requires two unused IP addresses for each subnet.

Local PC iptable routes are set to SNAT and DNAT outgoing traffic to the 'fake' IP.

iptables -t nat -A POSTROUTING -d 192.168.1.100 -s 192.168.2.0/24 -j SNAT --to-source      192.168.2.100
iptables -t nat -A PREROUTING  -d 192.168.1.100 -i eth0           -j DNAT --to-destination 192.168.1.1
iptables -t nat -A POSTROUTING -d 192.168.2.100 -s 192.168.1.0/24 -j SNAT --to-source      192.168.1.100
iptables -t nat -A PREROUTING  -d 192.168.2.100 -i eth1           -j DNAT --to-destination 192.168.2.1

The rules do the following:

Rewrite 192.168.2.1 source to 192.168.2.100 on outgoing packets
Rewrite 192.168.1.100 destination to 192.168.1.1 on incoming packets
Rewrite 192.168.1.1 source to 192.168.1.100 on outgoing packets
Rewrite 192.168.2.100 destination to 192.168.2.1 on incoming packets

To summarize, the local system now can talk to a 'virtual' machine with addresses 192.168.1.100 and 192.168.2.100.

Next you have to force your local PC to use the external router to reach your fake IP. You do this by creating a direct route to the IP's through via the router. You want to make sure that you force the packets onto the opposite of the destination subnet.

ip route 192.168.1.100 via $ROUTER_2_SUBNET_IP 
ip route 192.168.2.100 via $ROUTER_1_SUBNET_IP

Finally to make this all work, the external router needs to know how to reach the faked IPs on your local PC. You can do thins by turning on proxy ARPs on for your system.

echo 1 | sudo tee /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

With this setup, you can now treat the fake IPs as a real system on your local PC. Sending data to .1 subnet will force packets out the .2 interface. Sending data to the .2 subnet will force packets out the .1 interface.

ping 192.168.1.100
ping 192.168.2.100

Linux – IPTables port forwarding keep originating IP address

I'd say this is not possible at the Layer-3 level. HOST_x is expecting remaining packets to come from the host where it initiated the connection MY_LINUX. If SERVER would suddenly get in the middle of the TCP handshake and reply, HOST_x would just ignore those packets.

Since HOST_x and SERVER have direct connectivity, I think it'd be better to move this routing scheme to the application layer and implement HTTP redirects. Then HOST_x opens a connection directly to the end point.

Router

Best Answer

Related Solutions

Linux – Force local IP traffic to an external interface

Linux – IPTables port forwarding keep originating IP address

Related Topic