IPTABLES rerouting only specific ips to a specific internal pc
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPTABLES rerouting only specific ips to a specific internal pc
Hi,
I'm hoping someone out there will be good at using iptables. Here is my dilemma.
At work, they run a very strict network. So the only way to get out of their network is via port 80 and 443 through their proxy. For example, I tried to ssh to my home network but it didn't allow me to.
Here is my setup. I'm running a linux router that runs iptables. How can I specify the router to handle my work ips in a special way? I don't want to change the network I have at home, I want to keep it as is. However, when I try to access my home network (from work) via port 80/443, I want to router to forward or handle it to a specific internal address inside my network that is NOT 80/443. For example, suppose I'm at work and I ssh out to my home via port 80, how can I set it so my router handles that specific ip to an internal address via port 22?
It's a little confusing I know. I'd appreciate any help.
puTTY should let you Tunnel through to another network using another port.
Beware! The reason your work place is strict about this is that they don't want to jeopardize their network/data by opening their computers to unknown systems. You may be risking your job if you try to subvert company network security policies.
I assume your firewall is running Linux; if not, you probably posted this on the wrong website
I had a similar situation some years ago, where I wanted to setup RDP-connection to my home-based PC which was behind a Linux-FW connecting to the net via ADSL.
Back to your question:
For example, suppose I'm at work and I ssh out to my home via port 80, how can I set it so my router handles that specific ip to an internal address via port 22?
I am assuming your firewall connects to the internet via a modem/router which has it's own IP-address when connecting to the FW
$FWCARD=eth0
$FWIP=192.168.254.253 # IP of your firewall side Internet
$FWMODEM=192.168.254.254
$LANCARD=eth1
$LANIP=192.168.1.254 # IP of your firewall side LAN
$LANNETWORK=192.168.1.0/24
$DESTIP=192.168.1.1 #Host connecting to
$DESTPORT=22 #SSH
$WORKIP=184.73.199.236 # Your work's Public IP
$WORKPORT=80 # Port allowed by work
# Remember to enable IP-forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make sure routing is in place
route add -net $LANNETWORK gw $LANIP
route add default gw $FWMODEM
# Translate incoming traffic from your work-IP as if it originated from your Firewall
iptables -t nat -A PREROUTING -p TCP -i $FWCARD -s $WORKIP/24 --sport $WORKPORT -j DNAT --to-destination $FWIP
# Log the new incoming traffic:
iptables -A FORWARD -p TCP -i $FWCARD -s $FWIP --sport $WORKPORT -o $LANCARD -d $DESTIP --dport $DESTPORT -m state --state NEW -j LOG --log-level 4 --log-prefix "Incoming SSH from work: "
# Now forward the traffic:
# Incoming
iptables -A FORWARD -p TCP -i $FWCARD -s $FWIP --sport $WORKPORT -o $LANCARD -d $DESTIP --dport $DESTPORT -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT
# Outgoing (Response)
iptables -A FORWARD -p TCP -o $FWCARD -d $FWIP --dport $WORKPORT -i $LANCARD -s $DESTIP --sport $DESTPORT -m state --state ESTABLISHED, RELATED -j ACCEPT
I am unable to test this right now... but should be real close
The problem isn't confusing, but the intent is against LQ rules:
Posts containing information about cracking, piracy, warez, fraud or any topic that could be damaging to either LinuxQuestions.org or any third party will be immediately removed.
As alan99 stated "they don't want to jeopardize their network/data by opening their computers to unknown systems".
Also if your workplace has an IT department, they probably will be able to detect that the traffic on port 80 is encrypted noise, and trace it to your work computer and your home IP address.
I'm closing this thread and may decided to delete it later. Since one might do the same thing to move an open ssh port, or to use different port numbers and forward them to different host on the LAN, I'm leaving the post visible for now at least.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.