Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

linux iptables how to port forward

I have a Linux slackware host acting as a LAN router and DHCP server. That is working fine. I now want to port forward e.g. port 22 from the internet to a host on the LAN.  I haven't quite found what I'm looking for on the web or on EE.

On the router/DHCP-server host I have:

eth0 is the connection to the Internet with a static IP: 1.2.3.4 and a public domain of mydomain.com.

eth1 is the LAN interface with static IP 192.168.1.1. This is also the interface for the DHCP server which is started with: /usr/sbin/dhcpd eth1. I also have
/etc/sysctl.conf has: net.ipv4.ip_forward = 1

My iptables startup has:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

So far, the above is my configuration for setting this computer up as a router for my LAN. As I said, this works fine and the other hosts in the LAN get their IPs from this host and are all on the 192.168.1.0/24 subnet.

WHAT I WANT TO DO:

I want Internet requests coming in on port 30038 via eth0 to be routed to 192.168.1.101, port 22.

That's it! Basically, I want to ssh into the host at 192.168.1.101 by doing:

ssh -p 30038 mydomain.com

How do I do that?

(I also want to eventually route ports 80, 443 and 25 to this same host, but I suppose if I can do what I want for 22 I can figure out the rest).
Avatar of Dash Amr
Dash Amr
Flag of Australia image

ssh -L <local port>:<remote computer>:<remote port> <user>@<remote ip>
An example is:

ssh -L 6669:94.92.10.15:6667 foowho

In this example, local port 6669 on the local client computer is tunneled by encrypted SSH over the default port 22 to the router at 94.92.10.15. The router must be set up to forward port 22 to whatever the internal LAN IP (such as 192.168.0.56) of the SSH host is. The host is running OpenSSH (ssdh service) and is set to listen to port 22. It then routes the incoming data to the host port 6667, where presumably some other program is waiting for data. foowho has an account on the host running the OpenSSH server.
Avatar of Mark
Mark

ASKER

No, I know how to ssh using a not-port-22. In my original posting I have: ssh -p 30038 mydomain.com

My question is how to set up iptables to route Internet request to mydomain.com:30038 to LAN host 192.168.1.101:22

ALFA007 almost has the idea, but reversed. I don't want to go from router:22 to LANhost:30038, I want to go from router:30038 to LANhost:22. ALFA007's statement, "The router must be set up to forward port 22 to whatever the internal LAN IP (such as 192.168.0.56) of the SSH host is." Yes, how to set up the router? My Linux host *is* the router.
ASKER CERTIFIED SOLUTION
Avatar of Dan Craciun
Dan Craciun
Flag of Romania image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark

ASKER

DanCraciun: >  you will have to enable NAT first.

I believe that is taken care of. I listed the lines from my iptables config in my original posting:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

Anyway, your solution did the trick! I was able to forward that port and others to the desired hosts.

One last problem: I think I messed up a convoluted forward of port 25. See my new posting:

https://www.experts-exchange.com/questions/28259679/iptables-possible-circular-reference-on-port-forward.html