Hello

I have a set up in machine1.
Machine1 is configured to SSH-port forward to another Internet-hosted machine with :

ssh -L 8191:localhost:8191 <machine2>

Now this allows that in machine1 I open a browser and point locally into that port and be transferred to the machine2 8191 port.

Machine 3 (the same LAN machine with machine1)wants to get to the same page as machine 1 and through it(primary reason is that machine3 is windows and user knows nothing of the ssh port forwarding).
I configured in machine1 to port forward and listed on a non-privileged port(8095) to its local 8191 port number.
Here is the config:
$iptables -L -n
Chain FORWARD (policy ACCEPT)
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:8161
$ iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8095 to:127.0.0.1:8161

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I used the tool system-config-firewall-tui masquerading to be fool-proof. There I used the wlan0 interface of the machine1 as listening interface and destination to be 127.0.0.1 with ports 8095>>8161

Now in machine3 I get the time-out when browsing like : http://machine1:8590 and if I scan the open ports of machine1 with nmap I can not see the 8095 listed there

here is the output of cat /etc/sysconfig/iptables:

# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
-A PREROUTING -i wlan0 -p tcp --dport 8095 -j DNAT --to-destination 127.0.0.1:8161
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 16509 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 16514 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8090 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -m state --state NEW -m tcp -p tcp -d 127.0.0.1 --dport 8161 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Ok.... assuming that everything is correct on the firewall configuration and stuff, I think your ssh call is opening up port 8191 to local connections only. Can you make sure with netstat -lntp? If that's the case, I think you should run something like:

By the way, I don't see the relation between port 8191 and 8161. Am I missing something?

Well first thanks for the replies, secondly the thing is that machine2 is firewalled to reply only locally on the 8161 and that port is blocked for any requests outside its lop int.

But machine2 is not the problem. If I get you right, you want to reach machine 1's port 8191 from machine 3 which in turn will use machine 2's web service on port 8191 (without machine 3 noticing it), right?

If that's the case you have to create the local port when calling ssh to be 'open' so that other computers can connect to it. Otherwise a connection won't be able to be established. That's why I'm telling you to check the listening port of the ssh process with netstat -lntp (on machine 1).

Hello back

Well the trick with *:8191:localhost:8191 seems not working. Even I suspected that since the port forwarding is a matter of physical multiple interfaces I might be on the wrong track and did a :
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8095 j REDIRECT --to-port 8161
was in vain and no result for it either

I think you should go step by step. When you run ssl, make sure the port 8191 is open and to what ip address on machine 1.That's just for starters... then we could start considering firewall issues.

Ok I found a way to resolve this, with minimal changes to iptables and actually very neat:

on machine 1 instead of ssh prot forward from local,as advised Ill run this:

ssh -L machine3IP:8161:localhost:8161 <machine2>

That resolved the issue if some people like me might be interested...

Good to know, but I think it's not quite correct. machine3IP or machine1IP? Cause the first parameter there would be the IP that the SSH process will bind to and if yuo run it on machine1, it's not OK if you ask it to bind to the IP that machine3 has.