IPTables forward question

June 6, 2005 at 04:22:39
Specs: Debian Sarge, 350/64

Hello, I have a question about IPTables.

Due to restrictions on the campusnetwork I'm on, we are not allowed to run servers anymore. However, I managed to get an IP on which I can run servers.

My question:
Is it possible to use that IP (which is a static IP available to the outside world) to forward external requests from ftp-clients to another IP on the same network.
I know this is possible using forwarding with iptables between an external network and an internal network (using 2 networkcards), but I want to know if it is possible using only 1 networkcard, connected to the campusnetwork. This way, ftpconnections from outside the network would be able to connect to ftpservers in the network that aren't able to serve to the outside world.

any ideas if this is possible using only 1 ip, or would I need to connect with a different ip too.


See More: IPTables forward question

Report •

June 6, 2005 at 05:28:05

It is possible to forward packets pretty much anywhere/how you want with IPTables, yes. The way you described your network setup, I don't think it will be possible. With only one network card - and therefore only one physical connection - I don't see how your computer can be connected to both the internal and external networks.

So, I guess the short answer is - yes this is possible, but your computer must first be connected to both networks. So, unless there is something you left out, this will be impossible with only one network card.

Report •

June 6, 2005 at 07:04:20

You can tunnel just about anything through SSH if you are allowed to set up an SSH server (something your sys admin probably wont mind too much!), the following may help you:

Report •

June 6, 2005 at 13:48:15

Hmm, ok, let me explain the situation a bit more. I made a picture available here:


So, if a computer is in zone B, the restricted zone, it can access the internet with no problem, but all serverrelated programs don't work, because you can't connect to this computer from the internet.

However, if a computer is in zone C, a non-restricted zone, it is possible to connect to it from the internet without any problems.

The part where this gets interesting is, that computers in zone C can connect to servers (like ftp, http, ssh,...) in zone A, the whole campus network.
Most computers from students belong to zone B, but my comuter belongs to zone C.

So I am able to run servers, and use iptables for firewalling.

So what I want to do now, is to 'forward' (or should I say 'lead the way') ftp requests to a specific port to my computer (which is connected to the internet, zone C) to another computer, also connected to the internet, but located in zone B.

The idea behind this is that my computer can accept requests for connection from the internet, and my computer can also connect to servers in zone B. so if my iptables can make the computer on the internet think that it is connecting to my pc, it would be possible to connect to servers in zone B.

I can understand that this is a bit too difficult because both incoming and outgoing traffic from the computer on the internet and the computer in zone B would go through the same network card.

I have 2 NIC's, so I would be able to do some tricky things by connecting twice to the same network, but if it can be done with a few iptable rules, it would be a lot easier

I will look at the ssh tunnels when I have more time.


Report •

Related Solutions

June 6, 2005 at 14:14:41

Ok, that helps. Computers on network C can access computers on network B, correct? If so, you should be able to do what you're asking about without two NICs. You probably don't have access to a physical connection to network B anyway, so having two NICs wouldn't do you any good even if you had them.

Can your computer, on network C, access a server on network B? If not, stop right now because this isn't going to work. If so, you basically have the right idea. You will simply be using iptables to forward requests directed at your computer to computer(s) on the protected network (network B).

The iptables command to do this would look something like this:

iptables -A FORWARD -p tcp -i [incoming interface] -o [outgoing interface] -d [ip address of target server] --dport 80 -m state --state NEW -j ACCEPT

In your case, the incoming and outgoing interfaces will be the same - probably eth0.

As 3Dave noted, you can accomplish basically the same thing with sshd. This might be preferable, as it will help to hide what you are doing from the network administrator. Depending on how draconian he/she is about enforcing the "no servers" rule, it may not hide your activities for long. You have been waaaarned! [cue Theremin music]

Report •

June 7, 2005 at 07:52:44

yes, computers in zone C can access servers on computers in zone B.
and yes, I have access to an ip that is in zone B, so I can connect the computer twice of needed, once as being in zone B and once in zone C :-)

Hmm, I tried your command, but it doesn't seem to work.
I'm not sure if the dport is doing what I think it is doing. I basically want to forward requests to port 2121 to anoter IP's port 21 if that's possible (because I also have an ftp server on the computer in zone C)

I'll try the ssh tunnel, see if that works.


Report •

June 7, 2005 at 08:14:12

the iptables command I gave was only an example. It won't work if you just copy and paste it as-is - you would need to plug in the actual values for your scenario.

ftp is going to be difficult to get working, because you need more than just port 21 (or whatever port you configure the ftp server to listen on).

Report •

June 8, 2005 at 02:16:14

....yep, you need port 20 too for FTP data.

Report •

Ask Question