iptables port forward question

07-21-2006, 04:32 PM

hi, I'm wondering if the following is possible.

I have a server on the internet at say 100.10.0.1. Its configured to
only accept packets from my other machine 200.20.0.1. This 200.20.0.1
runs iptables and will act as a firewall.

So I want to use IP tables on 200.20.0.1 to firewall 100.10.0.1. Now
100.10.0.1 is on the internet for real (not in a private IP network like
192.168.0.x). Its in a different city.

Is this possible? So 100.10.0.1 will only accept packets from
200.20.0.1, obviously meaning IP tables on 200.20.0.1 cannot simply
redirect people/packets to 100.10.0.1, they shouldn't even know
100.10.0.1 exists. Correct?

(E-Mail Removed)

07-21-2006, 05:33 PM

Ken Williams <(E-Mail Removed)> writes:

>hi, I'm wondering if the following is possible.

>I have a server on the internet at say 100.10.0.1. Its configured to
>only accept packets from my other machine 200.20.0.1. This 200.20.0.1
>runs iptables and will act as a firewall.

>So I want to use IP tables on 200.20.0.1 to firewall 100.10.0.1. Now
>100.10.0.1 is on the internet for real (not in a private IP network like
>192.168.0.x). Its in a different city.

It needs its own firewall.

>Is this possible? So 100.10.0.1 will only accept packets from
>200.20.0.1, obviously meaning IP tables on 200.20.0.1 cannot simply
>redirect people/packets to 100.10.0.1, they shouldn't even know
>100.10.0.1 exists. Correct?

No. Routing problems. They are not on the same subnet, so the net will
direct traffic to 100.10.0.1 along a totally different path than to
200.10.0.1 Ie, there is no way that 200.10.0.1 will ever see any packet
directred to 100.

Now, 200 could be set up to NAT 100. Ie, on 100, make 200 the gateway. On
200 tell it to NAT packets from 100 so that allpackets from 100 then seem
to come from 200 and allreplies will be sent to 200.

Unfortunately, when 200 sends the packets to 100, they will seem to come
from the external system, and 100 will reject them, AFAIK. But I am not
positive of that which is why I suggest it.

>(E-Mail Removed)

07-21-2006, 08:55 PM

Hi Ken -

On Fri, 21 Jul 2006 12:32:09 -0400, Ken Williams <(E-Mail Removed)>
wrote:

>So I want to use IP tables on 200.20.0.1 to firewall 100.10.0.1. Now
>100.10.0.1 is on the internet for real (not in a private IP network like
>192.168.0.x). Its in a different city.
>
>Is this possible? So 100.10.0.1 will only accept packets from
>200.20.0.1, obviously meaning IP tables on 200.20.0.1 cannot simply
>redirect people/packets to 100.10.0.1, they shouldn't even know
>100.10.0.1 exists. Correct?

You need to both DNAT and SNAT the packets coming to 200.20.0.1 that
are to be forwarded to 100.10.0.1. The DNAT to send them on to
100.10.0.1. The SNAT so that they are coming from source address
200.20.0.1. 100.10.0.1 will send the response packets back to
200.20.0.1 which will use the state information to send them back to
the original requestor.

On 100.10.0.1 you'll need to the proper rules to DROP or REJECT all
incoming packets except from 200.20.0.1.

--
Ken
http://www.kensims.net/

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
IPTables drop rules on forward but not for certain MAC's question	David	Linux Networking	1	06-08-2007 02:10 PM
iptables port forwarding question	~David~	Linux Networking	2	01-09-2007 01:55 PM
iptables forward to local different port	Ross	Linux Networking	13	06-17-2006 12:32 PM
need help on port forward using iptables.	jsuthan	Linux Networking	7	01-21-2006 01:53 AM
Looking for iptables applications code (iptables.c) to run some rules to forward packets	tvnaidu@yahoo.com	Linux Networking	2	01-17-2005 05:01 PM