Hello
I have a set up in machine1.
Machine1 is configured to SSH-port forward to another Internet-hosted machine with :
ssh -L 8191:localhost:8191 <machine2>
Now this allows that in machine1 I open a browser and point locally into that port and be transferred to the machine2 8191 port.
Machine 3 (the same LAN machine with machine1)wants to get to the same page as machine 1 and through it(primary reason is that machine3 is windows and user knows nothing of the ssh port forwarding).
I configured in machine1 to port forward and listed on a non-privileged port(8095) to its local 8191 port number.
Here is the config:
$iptables -L -n
Chain FORWARD (policy ACCEPT)
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:8161
$ iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8095 to:127.0.0.1:8161
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I used the tool system-config-firewall-tui masquerading to be fool-proof. There I used the wlan0 interface of the machine1 as listening interface and destination to be 127.0.0.1 with ports 8095>>8161
Now in machine3 I get the time-out when browsing like :
http://machine1:8590 and if I scan the open ports of machine1 with nmap I can not see the 8095 listed there
here is the output of cat /etc/sysconfig/iptables:
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
-A PREROUTING -i wlan0 -p tcp --dport 8095 -j DNAT --to-destination 127.0.0.1:8161
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 16509 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 16514 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8090 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -m state --state NEW -m tcp -p tcp -d 127.0.0.1 --dport 8161 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT