Port Forwarding Within Internal Network

marzak · 02-26-2010, 05:45 PM

Hello all,

I have a question about port forwarding. I have an internal Red Hat server and I would like to use it as a central connection point to some back end servers. This is not an internet router setup. I was thinking I could use iptables and do port forwarding similar to an internet router but internal to internal. Here is a simplified example of what I am looking for:

server1
eth0 192.168.0.5
eth1 192.168.0.6

server2
eth0 192.168.0.11

Basically I would like to take any connections to port 22 on server1 interface eth0 and forward them out of interface eth1 to server2 port 22.

I am finding a lot of information on port forwarding, but it is all based on using an internet router that is passing through to an internal server. I need to know how to configure a basic linux setup
with no existing iptables entries so that I can do this within an existing network.

Also, if there is a better or easier approach I would appreciate any direction. I don't want to do this through an SSH tunnel.

I know to start I need the following to enable forwarding in the kernel and a firewall PREROUTING rule.

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.5 --dport 22 -j DNAT --to 192.168.0.11:22

I was thinking I am missing something like the following, but I am not sure.

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Thanks

nimnull22 · 02-26-2010, 06:10 PM

I do not think you need MASQUERADE rule.

Everything else looks good and should be enough.

But how do they communicate between each other?

Also I thing you need to give different interfaces different subnetwork IP:
192.168.1.5 - eth0
192.168.2.5 - eth1 Server 1

192.168.2.10 - eth0 Server2, if you want it to be on the same LAN with eth1 Server1.

marzak · 02-26-2010, 06:51 PM

Thanks, nimnull22.

I don't have an option on the addressing. The machines are all on the same subnet (server1 and server2 and any client machines).

I am not sure what you mean about how they communicate between each other. I assumed the client would contact server1 (192.168.0.5) on port 22. It would forward to server2 port 22 and traffic would flow back to the client through server1. That is why I was thinking about the masquerade rule.

Basically the client wouldn't know about server2. It would assume all interaction was with server1.

Thanks,

nimnull22 · 02-26-2010, 07:45 PM

Quote:

Originally Posted by marzak

Thanks, nimnull22.

I am not sure what you mean about how they communicate between each other. I assumed the client would contact server1 (192.168.0.5) on port 22. It would forward to server2 port 22 and traffic would flow back to the client through server1. That is why I was thinking about the masquerade rule.

Basically the client wouldn't know about server2. It would assume all interaction was with server1.

Thanks,

Where do you connect ethernet cards of the Server 1 and 2?

nimnull22 · 02-26-2010, 08:05 PM

Quote:

Originally Posted by marzak

Thanks, nimnull22.

I am not sure what you mean about how they communicate between each other. I assumed the client would contact server1 (192.168.0.5) on port 22. It would forward to server2 port 22 and traffic would flow back to the client through server1. That is why I was thinking about the masquerade rule.

Basically the client wouldn't know about server2. It would assume all interaction was with server1.

Thanks,

Where do you connect ethernet cards of the Server 1 and 2?
If you need to hide IP of second server, yes masquerading will help.

marzak · 02-27-2010, 10:39 AM

Quote:

Originally Posted by nimnull22

Where do you connect ethernet cards of the Server 1 and 2?
If you need to hide IP of second server, yes masquerading will help.

The ethernet cards for Server1 and Server2 are connected to the same switch.